Theory PHP Common Vulnerabilities the second bomb: common contains the vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201676164
Type myhack58
Reporter 雷鬼
Modified 2016-06-22T00:00:00


Contains generally divided into LFI, RFI, i.e., local file inclusion and remote file inclusion


For LFI while 因为 很 多 都 限制 了 包含 的 后缀 结尾 必须 为 .php Include ($a.'. php')such as this. So we want to include our pictures of the horses while 那么 就 需要 截断 后面 的 这 .php

  1. 0 0 truncated. Need gpc off && php<5.3.4

  2. Long file names are truncated. Anyway, this I was less successful.

  3. Convert the character set of the result of the truncation. This included while basic does not.

还有 一些 cms 限制 包含 的 后缀 必须 为 .php, for example, the following simple code

$include_file=$_GET[include_file]; if ( isset( $include_file ) && via strtolower( substr( $include_file, -4 ) ) == ". php" ) { require( $include_file ); }

Pass over the interception of the back of the 4 characters, and then the judge is not“. php”if“. php”only to be included. Here you can use zip(or phar)Protocol. (of course this is also looking for laterain learn, ha ha) to.

首先 新建 一 个 1.php inside just write a phpinfo to it, 然后 压缩 成 .zip then put the zip name to yu.jpg the. And then take this. jpg upload on the go and contains: ! 1. png

For some LFI can not find the uploading of pictures in place of words, there are a lot of cattle. some can't upload pictures LFI tricks, contains a variety of logs, environment variables or something, here I also not much to say.


The following then to that RFI.

If RFI, then that is the most convenient. Contains the remote file, or is php://input data what the various pseudo-Protocol.

But also are aware of the RFI of the biggest constraints is the need allow_url_include on and the“variable undefined path”or“the constant” is. And Allow_url_include by default is off, then either allow_url_include on or“variable before no path”or“constant”, that is the RFI of the hard injury.

Here is a on allow_url_include off of the case can also be rfi tricks, but the success rate is also not too high.

First, in php. ini inside look at allow_url_include: a

; Whether to allow include/require to open URLs (like http:// or ftp://) as files. allow_url_include = Off

Translation is allowed to contain a url, for example http://, ftp://之类的协议 the. When the off time certainly is not allowed to contain such an agreement.

Here we start to test it:

<? php include($_GET[yu]);

First allow_url_include && allow_url_fopen is on when ! 2. png

A successful RFI.

Then allow_url_include is on, allow_url_fopen is off ! 1 1. png

Directly contains the remote file failed. This time we use the pseudo-Protocol try. ! 2 2. png

Again a successful rfi.

When allow_url_include && allow_url_fopen to off. ! 3 3. png

Pseudo-Protocol to fail.

And contains file way: ! 4 4. png

URL file-access is disabled in the server configuration, the description is also not allowed to contain.

However, Certainly there are a lot of people remember a long time ago that the star outside no execution directory, use the remote to call the cmd to continue to provide the right. The use of a shared file, and then in the star outside the host up execution. So here we try:

! 6 6. png

Contains the shared file success! Here only a local test, not specific test the remote. However, due to 4 4 5 The reason may be the basic failure.

> Reprinted from:<>in the original based on a simple finishing modifications.