"Reprinted" PHP local file inclusion and remote file Inclusion vulnerability

The remote file contains (the inclusion), or RFI, which corresponds to the local file containing (the Inclusion,lfi), which are all through the PHP containing function namely: require (), require_once ( ), include () and include_once () to use.

In general, it is not a problem for a user to include a function or class with a specific function in the current script by including a function. But sometimes, for convenience, there is a need for dynamic inclusion files, which leaves some attack holes.

Typically, the Lfi attack is not a big threat, because the files on the local server are relatively deterministic, and it is not easy for an attacker to upload files with offensive code. RFI attacks are what we need to guard against. So how is RFI attack implemented?

First, provide a code example (index.php) that has an RFI vulnerability:

<?php//code fragment with RFI vulnerability $file = $_get[' file '];include $file;? >

　　

The script uses the Get method to dynamically include the file, for example: in the index.php sibling directory where the include.php file exists, we can access the similar URL "127.0.0.1/lab/index.php?file=include.php "To include the include.php file, and then the server will parse the include.php script and pass the resulting HTML code to the browser for execution.

For now, there is no security problem, because it just contains local files. If it is a remote file, the problem comes because the attacker can encode the remote file arbitrarily.

It is necessary to note that an RFI attack requires three conditions at the same time (the attacked machine):

1. Allow_url_fopen = On (default on)
2. Allow_url_include = ON (default off)
3. There are no directory restrictions before the included variables

Meeting these three conditions at the same time is tantamount to opening the door for an attacker. To understand clearly, an example of a lfi attack is given below. (Note: Build an environment with an RFI vulnerability locally to attack the local host by including a file on a remote host)

The first step: Set the php.ini file, turn on the "Allow_url_fopen" and "Allow_url_include", restart Apache.

Step Two: Create a script file that has an RFI vulnerability, such as index.php above.

Step three: Create a text file with offensive code on the remote host hack.txt (Just test), note that this file cannot be parsed by the server, such as a PHP script file. Because it's just a demo, the text file is executed to meet the presentation. The contents of the Hack.txt file are as follows:

Hahaha,you is hacked. <?php echo $_get[' a '];?>  

　　

Place the text file in a host root directory with login permissions, where the text file is located on the Internet: Http://yourhost/hack.txt.

Fourth step: Bring the URL of the attack file into the include to attack:

As you can see, the text file is executed. Next, we use the PHP code, which:

As you can see, the PHP code in the text file has been executed successfully and is now just a demonstration, but it has been able to illustrate the RFI attack process. If an attacker puts a system command in a file, the consequences will be disastrous.

As mentioned above, the attack file cannot be a PHP file, so some experienced developers will consider writing the extension of the included file to die, such as:

<?php//code fragment with RFI vulnerability $file = $_get[' file '];include $file. php ';? >

Thus, by including the remote file in the above method, the system warns that the contained file cannot be found, thus avoiding the attack.

This approach does have a role to play, but it's not a problem for experienced attackers. We know that the PHP engine is implemented by C, the C-Hollow character is the string terminator, so you can use NULL characters to truncate the extension to implement RFI attacks.

Understanding the RFI attack principle, the defense is simple. At the configuration level, keep PHP's default settings, "Allow_url_include" off, at the code level, if you must dynamically include files, it is best to explicitly specify which files are included, white list alignment. You can also include directory restrictions in the Include function.

"Reprinted" PHP local file inclusion and remote file Inclusion vulnerability