PHP common vulnerabilities: Common include vulnerabilities

Source: Internet
Author: User
PHP common vulnerabilities: Common include vulnerabilities include LFI and RFI, that is, local file transfer Sion and remote file transfer Sion.

LFI

For LFI, many of them limit that the suffix must end with. php and Include ($ a. '. php.

So if we want to include our pictures, we need to cut off the. php

  1. 00 truncation. Gpc off & php required <5.3.4

  2. Truncation of long file names. I rarely succeeded in this case.

  3. Truncation caused by conversion character set. This pair cannot be used.

There are also some cms restrictions that the suffix must be. php. for example, the following simple code

$include_file=$_GET[include_file];if ( isset( $include_file ) && strtolower( substr( $include_file, -4 ) ) == ".php" )        {                    require( $include_file );        }

After the four characters are intercepted, the system determines whether it is ". php". if it is ". php", it is included. Here we can use the zip (or phar) protocol (of course, this is also for laterain, haha ).

First, create a new 1.php file, and write a phpinfo file in it,

After that, compress the file into a. zip file and change the zip file name to yu.jpg.

Upload the .jpg file and then include:

If some LFI cannot find a place to upload images, there are also some tips about LFI which may not upload images, including logs and environment variables, I will not talk about it here.

RFI

Next, let's talk about RFI.

If RFI is available, it is the most convenient. Contains remote files, php: // input data, and various pseudo protocols.

However, we all know that the maximum limit for RFI is that allow_url_include on is required and "paths not defined before variables" or "constants" are defined ".

Allow_url_include is off by default. therefore, whether it is allow_url_include on, "no path before the variable", or "constant", it is hard to hurt RFI.

Here we will introduce a technique that can also be rfi when allow_url_include off, but the success rate is not too high.

First, let's take a look at allow_url_include in php. ini:

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.allow_url_include = Off

The translation is to allow URLs, such as http: // and ftp. When off, it is definitely not allowed to include such a protocol.

Here we will test it first:

     

First, when allow_url_include & allow_url_fopen is on

RFI is successful.

Then allow_url_include is on and allow_url_fopen is off.

An error occurred while directly including the remote file. At this time, we will try the pseudo protocol.

Rfi is successful again.

When allow_url_include & allow_url_fopen is off.

The pseudo protocol fails.

File inclusion methods:

URL file-access is disabled in the server configuration, which means it cannot be included.

However, many people may remember that when there was no executable directory outside of the star long ago, they used to remotely call cmd to continue elevation of permission.

The shared file is used and then executed on the off-Star host.

Here we will also try:

Shared file included! Only local tests are performed here, but remote tests are not performed. However, 445 may fail.

Reprinted from: http://drops.wooyun.org/papers/4544, on the basis of a simple arrangement and modification.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.