PHP common vulnerabilities: Common include vulnerabilities

PHP common vulnerabilities: Common include vulnerabilities include LFI and RFI, that is, local file transfer Sion and remote file transfer Sion.

LFI

For LFI, many of them limit that the suffix must end with. php and Include ($ a. '. php.

So if we want to include our pictures, we need to cut off the. php

1. 00 truncation. Gpc off & php required <5.3.4

2. Truncation of long file names. I rarely succeeded in this case.

3. Truncation caused by conversion character set. This pair cannot be used.

There are also some cms restrictions that the suffix must be. php. for example, the following simple code

$include_file=$_GET[include_file];if ( isset( $include_file ) && strtolower( substr( $include_file, -4 ) ) == ".php" )        {                    require( $include_file );        }

After the four characters are intercepted, the system determines whether it is ". php". if it is ". php", it is included. Here we can use the zip (or phar) protocol (of course, this is also for laterain, haha ).

First, create a new 1.php file, and write a phpinfo file in it,

After that, compress the file into a. zip file and change the zip file name to yu.jpg.

Upload the .jpg file and then include:

If some LFI cannot find a place to upload images, there are also some tips about LFI which may not upload images, including logs and environment variables, I will not talk about it here.

RFI

Next, let's talk about RFI.

If RFI is available, it is the most convenient. Contains remote files, php: // input data, and various pseudo protocols.

However, we all know that the maximum limit for RFI is that allow_url_include on is required and "paths not defined before variables" or "constants" are defined ".

Allow_url_include is off by default. therefore, whether it is allow_url_include on, "no path before the variable", or "constant", it is hard to hurt RFI.

Here we will introduce a technique that can also be rfi when allow_url_include off, but the success rate is not too high.

First, let's take a look at allow_url_include in php. ini:

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.allow_url_include = Off

The translation is to allow URLs, such as http: // and ftp. When off, it is definitely not allowed to include such a protocol.

Here we will test it first:

     
         
First, when allow_url_include & allow_url_fopen is on
         
    
RFI is successful.
    
         
Then allow_url_include is on and allow_url_fopen is off.
         
    
         
An error occurred while directly including the remote file. At this time, we will try the pseudo protocol.
         
    
Rfi is successful again.
    
         
When allow_url_include & allow_url_fopen is off.
         
    
The pseudo protocol fails.
    
         
File inclusion methods:
         
    
URL file-access is disabled in the server configuration, which means it cannot be included.
    
         
However, many people may remember that when there was no executable directory outside of the star long ago, they used to remotely call cmd to continue elevation of permission.
     
The shared file is used and then executed on the off-Star host.
     
Here we will also try:
    
    
  
    
Shared file included! Only local tests are performed here, but remote tests are not performed. However, 445 may fail.
    
         
Reprinted from: http://drops.wooyun.org/papers/4544, on the basis of a simple arrangement and modification.