PHP file contains vulnerabilities attack combat ____php

Source: Internet
Author: User
Tags nginx server
Absrtact: In this paper, the formation of PHP file contains loopholes, the use of skills and prevention of a detailed analysis, and through a real case demonstrates how to use the PHP file contains vulnerabilities to the target site penetration test, and finally successful access to the site Webshell.

In this paper, the formation of PHP file contains loopholes, the use of skills and prevention of a detailed analysis, and through a real case demonstrates how to use PHP file contains vulnerabilities to the target site penetration test, and finally successfully obtained the Webshell of the site.

PHP is a very popular web development language, and many Web applications on the Internet are developed using PHP. In the use of PHP development of Web applications, PHP file contains vulnerabilities is a common vulnerability, the use of PHP files include vulnerabilities intrusion site is also the mainstream of a means of attack.

PHP file contains vulnerability introduction

First, let's describe what a file contains a vulnerability. Strictly speaking, file containment is a "code injection", the principle of which is to inject a user can control the script or code, and let the server execution. "Code injection" is a typical representative of file contains, file contains vulnerabilities may appear in JSP, PHP, ASP and other languages, the principle is the same, this article only describes the PHP file contains vulnerabilities.

The following two conditions are required to successfully exploit a file to include a vulnerability:

Web applications use include () files including functions to introduce files that need to be included through dynamic variables

The user can control the dynamic variable

In PHP, there are four functions for containing files, and the PHP code contained in the file is executed when you use these functions to include files. The differences between them are explained below:

Include (): When you use this function to include a file, the file is included only when the code executes to the include () function, and only one warning is given when an error occurs, and the execution continues downward.

Include_once (): Features are the same as include (), except that when the same file is called repeatedly, the program is called only once.

Require (): 1.require () differs from include () in require () execution if an error occurs, the function outputs an error message and terminates the script's operation. 2. When you use the Require () function to include a file, the file is called as soon as the program executes, and the include () is invoked only when the program executes to the function.

Require_once (): It has the same functionality as require (), except that when the same file is called repeatedly, the program is invoked only once.

Now let's look at a simple file containing code, as shown in Figure 1 below.

Figure 1

You can see from the above code that after you get the value of the variable $filename, you take it directly into the include () function without any processing. There is a file containing vulnerability that allows us to view arbitrary files in the system.

Now let's actually test it. First upload the PHP page to the Web server, first let it contain a normal TXT file, the results of the operation as shown in Figure 2.

Figure 2

We then insert the PHP code into the TXT text to see what the results are. Here, insert the code shown in Figure 3 below.

Figure 3

Again, the results are shown in Figure 4 below.

Figure 4

We can see from the diagram above that the PHP code in the text has been executed successfully.

With this vulnerability, we can look at any file in the system, such as the frequently used "/etc/passwd" file, as shown in Figure 5.

Figure 5

The PHP file contains vulnerabilities that are divided into local file inclusion vulnerabilities (LFI) and remote file inclusion vulnerabilities (RFI) that can open and contain local file vulnerabilities, known as local file inclusion vulnerabilities. With a local file containing vulnerabilities, you can view the contents of any file on your system, or you can execute commands if you have some conditions. This is described in detail in the following vulnerability utilization Tips section.

If PHP.ini's configuration options Allow_url_fopen and Allow_url_include are on, the file-containing function can load remote files, a vulnerability known as a remote file-containing vulnerability. Using remote files to contain vulnerabilities, you can execute arbitrary commands directly. During the actual infiltration attack, an attacker could put an executable malicious file on his Web server and load the file with a remote file containing a vulnerability in the target Web site, thereby enabling the execution of arbitrary commands.

file contains vulnerabilities exploit tips

Remote files contain vulnerabilities that can execute commands because an attacker can customize the contents of the included file. Therefore, a local file contains a vulnerability to execute a command, you also need to find a local file where an attacker can control the content.

There are several common techniques currently available:

Contains files uploaded by the user. This is a good understanding, but also the simplest way. If the user uploads the contents of the file contains PHP code, then the code is loaded by the file contains function will be executed. However, the success of the attack depends on the design of the upload function, such as the need to know the physical path to upload files, but also need to upload files have Execute permissions.

Contains pseudo protocols such as data://or Php://input. This requires target server support and requires Allow_url_fopen to be set to on. The data: Pseudo protocol is supported in later versions of PHP5.2.0, and code can be easily executed.

Contains the session file. This part requires the attacker to be able to control the contents of part of the session file, PHP default generated session files are generally stored in the/tmp directory.

Contains log files. such as Web server access log files, this is a common technique. Because almost all Web sites record the user's access to the access log. As a result, an attacker could insert PHP code into the Web log to execute the PHP code contained in the Web log through a file-containing vulnerability, which was used to successfully obtain the Webshell of the target site. However, it is important to note that if the Web site is large, the log file can be very large, and if you include such a large file, the PHP process may be stuck to death. Regular web sites usually generate a new log file on a daily basis, so it is relatively easy to successfully attack early in the morning.

Contains/proc/self/environ files. This is also a common technique because it does not need to guess the path of the included file at all, and the user can control its contents, and it is common practice to inject PHP code into the user-agent to complete the attack.

using PHP file contains vulnerabilities to infiltrate a website case

Above we described in detail the PHP file contains the formation and testing of vulnerabilities, below we have a real case to explain how to use the PHP file contains vulnerabilities to the target site penetration attacks.

Target website: A business system of China Telecom

Objective: To obtain the Webshell of the target website

Detailed infiltration process is as follows:

1. Discovery of Vulnerabilities

Let's start by opening a URL for the target site, as follows:


Note that the index.php call file contains functions to contain the files in the site directory and to be displayed to the user via this URL, following the path=. But at this point we are not sure that this URL exists with a file containing vulnerability. Let's manually test for the existence of a file containing vulnerability. Because the site has a phpinfo.php test page, we can use this page to get a lot of useful information on the target site, do not have to do a fuzzy test to get to the absolute path of the web directory, so here you can directly construct the path to a known file, let it include, to quickly confirm the existence of a file

We confirm that the above URL contains a vulnerability by including a known file "/etc/passwd" file.

Figure 6

By using the results returned above to determine that the site has a file containing vulnerabilities, let's demonstrate how to use the vulnerability for penetration testing.

2. Vulnerability Utilization

Through the above test, we can determine that the site has a file containing vulnerabilities. So then the question comes, how can we use this loophole to achieve our goal? One of the ideas is to insert the backdoor code into the Web log file of the Web site, and use the file contained in the target site to include the log file, then the backdoor code in the Web log will be executed as PHP code, so we can get a webshell for subsequent attacks. But there is a problem, we need to know the path of the Web log storage, otherwise we can not achieve the goal. Typically, the Web log storage path is specified through the Web server's configuration file, and the information obtained above can be used to determine that the target site is using a nginx server. So we can get to the Web log storage path first by including the Web server configuration file (nigix.conf), as shown in Figure 7 below.

Figure 7

3. Get Webshell

Above we get the existence path of the Web Access log through the Web server configuration file (nginx.conf) (/opt/nginx/logs/ Access.log), but because the log file of the site is very large, then access to the Webshell program will be jammed, so we choose to attack in the wee hours. Because the average site is to generate a daily access log files, in the early hours of the small log file, easy to succeed. Figure 8 below shows the following insert backdoor code into the Web Access log.

Figure 8

In the end, we succeeded in capturing the Webshell of the target site, as shown in Figure 9.

Figure 9

PHP file contains vulnerability prevention

This section mainly from the code layer and Web server Security Configuration Two aspects to explain the PHP file contains vulnerabilities to prevent. First of all, from the code layer, in the development process should try to avoid dynamic variables, especially the user can control variables. One insurance approach is to use the "whitelist" method to list the files that are allowed to be included, allowing only files in whitelist to be included, so that you can avoid the risks contained in any file by referring to the code implementation shown in Figure 10 below.

Figure 10

It is also a practice to define some special characters in the file that are included in the exploit process in the blacklist and filter incoming parameters, but this can sometimes lead to an experienced attacker bypassing the filter.

In the context of Web server security configuration, you can limit the files that are allowed to be included in a specific directory by setting the value of the Open_basedir in the php.ini, which effectively avoids attacks using file-containing vulnerabilities. Note that the value of the open_basedir is the prefix of the directory, so assume the following value: Open_basedir=/var/www/test, so the list below is actually within the allowable range.




If you want to qualify a specified directory, you need to add "/" at the end, which requires special attention.


If you have more than one directory, separate the directories in Windows with semicolons and separate them with a colon under Linux.


Above we through the text and code of PHP file contains the formation of loopholes, the use of skills and prevention have done a detailed analysis, and combined with a real case to explain how to use the PHP file contains vulnerabilities to the target site penetration test, and finally get a webshell permission. Through these content, I believe that readers have a deep understanding of the PHP file contains vulnerabilities. In fact, as long as you understand the principle of the loophole, a deep understanding of the vulnerability, coupled with security awareness, thoroughly solve the PHP file contains loopholes is not a difficult thing.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.