PHP is a very popular web development language, and many Web applications on the Internet are developed using PHP. In a Web application developed with PHP, PHP file Containment is a common vulnerability. The use of PHP files containing vulnerability intrusion site is also the mainstream of a means of attack. This article has carried on the detailed analysis to the PHP file contains the flaw formation, the utilization skill and the guard, and through a real case demonstrates how to use the PHP file contains the flaw to carry on the penetration test to the target website, finally obtains the website Webshell successfully.
1. php file contains vulnerability description
First, let's describe what the file contains as a vulnerability. Strictly speaking, the file containment vulnerability is one of "code injection". The principle is to inject a piece of script or code that the user can control and let the server execute it. A typical representation of "code injection" is the file inclusion. The file contains the vulnerability may appear in the JSP, PHP, ASP and other languages, the principle is the same, this article only describes the PHP file contains the vulnerability.
The following two conditions are required to successfully exploit a file containment vulnerability:
The 1.1 Web application uses a file containing function such as include () to introduce the files that need to be included through a dynamic variable; 1.2 Users can control the dynamic variable.
In PHP, there are four functions for containing files, and the PHP code contained in the file is executed when these functions are used to include files. The differences between them are explained below:
include (): When you use the function to include a file, only the code is included when it executes to the include () function, only one warning is given when an error occurs, and execution continues down.
include_once (): functionality is the same as include (), except that the program is called only once when the same file is called repeatedly.
require (): 1.require () differs from include () in that require () executes if an error occurs, the function outputs an error message and terminates the script's run. 2. When using the Require () function to include a file, the file is called immediately as soon as the program executes, and the include () is called only when the program executes to the function.
require_once (): It functions the same as require (), except that the program is called only once when the same file is called repeatedly.
Now look at a simple file containing the code, as shown in:
As you can see from the code above, there is no processing after getting the value of the variable $filename, directly into the include () function. There is a file inclusion vulnerability in which we can view any file in the system.
Let's actually test this, first upload the PHP page to the Web server, first let it contain a normal TXT file, run the result as shown:
Then we insert the PHP code in the TXT text to see what the result is? Here, insert the following code:
Again, the results are as follows:
We can see that the PHP code in the text has been executed successfully.
With this vulnerability we can look at any file in the system, such as a frequently used "/etc/passwd" file.
The PHP file contains a vulnerability that is classified as a local file containing Vulnerability (LFI) and a remote file containing Vulnerability (RFI), which is capable of opening and containing a local file, known as a local file inclusion vulnerability. The local file contains a vulnerability to view the contents of arbitrary files in the system, and if there are some conditions, you can also execute commands. This is described in detail in the Exploit tips section below.
If PHP.ini's configuration options Allow_url_fopen and Allow_url_include are on, the file contains functions that can load remote files, a vulnerability known as a remote file inclusion vulnerability. A remote file contains a vulnerability that can be used to execute arbitrary commands directly. During an actual infiltration attack, an attacker could put an executable malicious file on his Web server and load the file through a remote file containing a vulnerability on the target Web site, which would enable the execution of arbitrary commands.
2. file contains exploit tips
A remote file contains a vulnerability that could execute a command because an attacker could customize the contents of a contained file. As a result, a local file contains a vulnerability to execute a command, a local file that an attacker can control the content is also needed.
There are several common techniques currently in the main:
2.1 contains user-uploaded files
This is a good understanding, but also the simplest way. If the user uploads the contents of the file containing PHP code, then this code is loaded by the file containing function will be executed. However, the success of the attack depends on the design of the upload function, such as the need to know the physical path to upload the file, but also need to upload the file has execute permissions.
2.2 contains pseudo-protocols such as data://or Php://input
This requires support from the target server and requires the Allow_url_fopen to be set to on. The data: Pseudo-Protocol is supported in the version after PHP5.2.0, which makes it easy to execute code.
2.3 Include session file
This part requires the attacker to be able to control the contents of some session files. The default session file generated by PHP is usually stored in the/tmp directory.
2.4 Include log files
such as Web server access log files, this is a common technique. Because almost all Web sites will log users ' access to the access log. As a result, an attacker could insert PHP code into the Web log to execute the PHP code contained in the Web log through a file containment vulnerability. The following example is the use of this technique to successfully obtain the Webshell of the target site. However, it is important to note that if the Web site is large, the log file can be very large, if it contains a large file, the PHP process may be stuck. General Web sites usually generate a new log file every day, so it is relatively easy to succeed in the early hours of the attack.
2.5 contains/proc/self/environ file
This is also a common technique. Because it does not need to guess the path of the contained file at all, and the user can control its content. It is common practice to inject PHP code into the user-agent to complete the attack.
3. Use PHP files to contain vulnerabilities to infiltrate a website case
Above we introduced in detail the PHP file contains the formation and testing of the vulnerability, below we have a real case to explain how to use the PHP file contains the vulnerability of the target site to infiltrate the attack.
Target website: A business system of China Telecom
Purpose: Get the Webshell to the target website
Detailed infiltration process:
3.1 Vulnerabilities found
Let's start by opening a URL for the target site, as shown below:
Note that after the path=, the URL can be found index.php call file contains functions to contain the files under the Site directory, and presented to the user. However, we are not sure that there is a file inclusion vulnerability in this URL. Let's take a manual test to see if there is a file containment vulnerability. Because the site has a phpinfo.php test page, we can get a lot of useful information on the target website, we can get the absolute path of the Web directory without the fuzzy test, so we can construct the path of the known file directly, let it contain, and quickly confirm whether there is a file containing vulnerability.
Let's verify that the above URL contains a file that contains a vulnerability by including a known file "/etc/passwd" file.
OK, using the results returned above to determine the existence of a Web site file contains a vulnerability, below we demonstrate how to exploit the vulnerability for penetration testing.
Through the above test, we can determine that the site exists file contains a vulnerability. So then the question comes, how can we use this loophole to achieve our goal? One of the ideas is to insert the backdoor code into the Web log file of the Web site, the use of the target Web site file contains the vulnerability to include this log file, the Web log in the backdoor code will be executed as PHP code, so we can get to a webshell for subsequent attacks. However, when faced with a problem, we need to know the Web log storage path, otherwise we can not achieve the goal. Typically, the Web log storage path is specified through the Web server's configuration file. The information obtained above can be used to determine that the target site is using an Nginx server, so we can get to the Web log storage path first by including the Web server configuration file (nigix.conf). The exact operation is as follows:
3.3 Get to Webshell
Above, we obtain the path to the Web Access log through the Web server configuration file (nginx.conf) (/opt/nginx/logs/ Access.log), but because the Web site log file is very large, then access to the Webshell program will be stuck, so we choose the early hours of the attack again. Because the general site is generated every day an access log file, in the early hours of the log file is small, easy to succeed. Shows the following insertion of the backdoor code into the Web Access log:
In the end, we successfully acquired the Webshell of the target website.
4. php file contains vulnerability prevention
This section mainly from the code layer and the Web server Security Configuration Two aspects to explain the PHP file contains a vulnerability prevention. First of all, from the code layer, in the development process should try to avoid dynamic variables, especially the user can control variables. An insurance approach is to use a "whitelist" method to list the allowed files, allowing only the files that are whitelisted, so that the risk of any file inclusion can be avoided. Refer to the following code implementation:
Another approach is to define a file containing some special characters in the exploit process in the blacklist, filtering the incoming parameters, but this can sometimes be bypassed by experienced attackers because of incomplete filtering.
In the context of Web server security configuration, it is possible to restrict the inclusion of files to a specific directory by setting the value of Open_basedir in php.ini, which effectively avoids attacks that exploit file containment vulnerabilities. It is important to note that the value of Open_basedir is the prefix of the directory, so assume that the following values are set: Open_basedir=/var/www/test, then in fact the directories below are within the allowable range.
If you want to qualify a specified directory, you need to add "/" at the end, which requires special attention.
If you have more than one directory, separate the directories under Windows with semicolons, separated by colons under Linux.
Above we through the text and code on the PHP file contains the vulnerability of the formation, use of skills and prevention have done a detailed analysis,
and combined with a real case to explain how to use the PHP file contains vulnerability to the target site penetration testing, and finally get a Webshell permissions. Through these content, I believe that the reader has a deep understanding of the PHP file contains the vulnerabilities. In fact, as long as the understanding of the principle of loopholes, a deep understanding of the loopholes, coupled with security awareness, the complete solution of the PHP file contains the vulnerability is not a difficult thing.
PHP file contains vulnerability defense combat (Allow_url_fopen, Open_basedir)