PHP code audit and File Inclusion Vulnerability

php Code audit and file contain vulnerabilities

1. What is a file containing

The same code appears repeatedly in different files, resulting in code redundancy , So there are file containing functions , Is to make the code more efficient . The part that needs to be used will call , And the included documents will be PHP Code execution , Ignore own suffix . File contains are divided into local file contains （Loacl File Inclusion,LFI） And remote files contain (Remote File Inclusion,RFI), Remote files need to be included in php.ini Set in allow_url_include = on and allow_url_fopen = on

2. The file contains the definition of vulnerability
File Inclusion itself is not a vulnerability , The file contained in the program will not form a vulnerability , Almost all vulnerabilities are caused by controllable parameters , Attackers take advantage of the included features , Plus the application itself on the file （ contain ） Control is not strict , Finally, it will cause the attacker to carry out arbitrary file inclusion . Usually the file containing vulnerability occurs in php In language .

3. The file contains the functions that appear
include() function ： Use include Reference to external documents , Only the code executes to include Code snippets , The external file called will be referenced and read , When an error occurs in the referenced file , The system will only give a warning error , And the whole php The file will continue to execute .
require() function ： stay php Before the file is executed ,php The parser will replace... With the entire contents of the referenced file require Function statement , Then with require Statements other than statements form a new php file , It is better to press the new php File execution program code .
include_once() function ： Use include_once It will check whether the file has been referenced in other parts of the file before importing it , If there is , The file will not be referenced again , The program can only reference once .
require_once() function ： Function and require（） identical , The difference is that when the same file is called repeatedly , The program can only be called once .

2. Click in , There are five conditions

Namely
1、target The pass parameter is not empty and 0
2、target The parameter must be a string
3、 Parameter transfer failure index start
4、 The reference cannot be import.php、export.php
Continue to follow up checkPageValidity() function

There are three situations ,checkPageValidity() The function returns ture, And they all require $pagestay$whitelist Array ,

Let's look at the first case , If whitelist It's empty , Then reassign .
To follow up $goto_whitelis Array , Discovery is a white list . Here's the picture

Let's look at the first return ture The place of , The requirement is whether the string passed as a parameter is in the array , You can enter the file name of a whitelist here , But it doesn't make sense , Contains a file that has been written , Unable to achieve any goal .

Looking at the second
mb_substr() function ： Intercepting string . grammar ：mb_substr($a,0,3),It\; meansthinkingyessectiontakewordoperatorstrandaOffront3、\; ...\; andpositionm{b}_{s}trpos()LetterCount:sentencebreakpositionSet\; upOfLetterCount,The\; firstFirstholdPass\; onginseng$page Connect a question mark , Find the position of the question mark and return , Only the position of the first question mark will be returned , If there is a question mark in our biography , But in php in get An error will be reported if the reference question mark is passed , Because in url The middle question mark means "pass parameter" , It cannot be used as a parameter value . Continue to look at the next judgment

.
See a urldecode（） function ： Do a decoding . Then we put the ？ Do it twice url Just code it , After coding is %25%3f,url Decoded as %3f, The code goes here , The question mark comes out .
Go to a file on the white list server_binlog.php,
structure playload：target=server_binlog.php%253f/…
/1.txt

But how to write webshell Well ,
This 1.txt I write on the server , there phpadmin No upload function
resolvent ,
Find the storage location first ,select @@datadir // Data storage location , The position shown here is the absolute path

Create a new table , Enter a sentence

Find the database storage file .

test phpinfo