File contains

         Program developers usually write reusable functions to a single file , When using certain functions , Call this file directly , No need to rewrite , This process of invoking a file is generally referred to as file inclusion .

principle

         The cause of the file containing vulnerability is through PHP Function import file , Because the incoming file has not been properly verified , Thus, the unexpected documents are operated , It may lead to accidental file disclosure or even malicious code injection .

         The file contains vulnerabilities divided into The local file contains a vulnerability And The remote file contains a vulnerability . The remote file contains a vulnerability because it is turned on PHP The configuration of the allow_url_include Options , After the option is turned on , The server is allowed to contain a remote file , Server pass PHP characteristic （ function ） To include any file , Because the source of the file to be included is not strictly filtered , So you can include a malicious file , And we can construct this malicious file to achieve our purpose .

Remote inclusion condition

stay php.ini There are two important parameters in allow_url_fopen、allow_url_include. Only

        allow_url_fopen: The default value is ON. allow url Encapsulation protocol access file in ;
        allow_url_include: The default value is OFF, When remote inclusion is required, it should be set to On. Inclusion is not allowed url The encapsulation protocol in contains files ;

PHP Functions are commonly included in

        include()： When using this function to include files , Only the code executes to include() Function to include
Come in , Give a warning when an error occurs , Keep going down .
        include_once()： And Include() identical , The difference is that when the same file is called repeatedly , The program calls only once
        require()：require() And include() The difference is that require() If there is an error in execution , The function will output
error message , And terminate the script .
        require_once()： And require() identical , The difference is that when the same file is called repeatedly , The program calls only once

Commonly used PHP Fake protocol

file://

         Access local file system

         Not subject to allow_url_fopen、allow_url_include influence

        php Where files and protocols are involved, they are used by default file agreement , If the protocol name is not written or the protocol does not exist , Will be treated as file Protocol to analyze

http://、ftp://

         visit HTTP(s) website / visit FTP(s) URLs

        allow_url_fopen = On、allow_url_include = On

php://

         Access individual inputs / Output stream （I/O streams）
         Include php://stdin、php://stdout、php://stderr、php://input、php://output、php://filter、php://fd、php://memory、php://temp Nine species .

php://input

         Read only stream to access the requested raw data , That is, read directly POST Raw data not parsed on ,enctype=“multipart/form-data” When php://input It's invalid
        allow_url_include = On、 Not subject to allow_url_fopen influence

php://filter

         Filtering application when data flow is opened , Read local source code ;

         Not subject to allow_url_fopen、allow_url_include influence .

        ?a=php://filter/read=convert.base64-encode/resource=index.php（"read=" It can be omitted ） // take php File by base64 Code readout , If not add read=convert.base64-encode, Will regard the contents as php Code execution .

zip://

         Compressed flow , You can access sub files in a compressed file , Treat the contents of the sub file as php Code execution

         Not subject to allow_url_fopen、allow_url_include influence

         The file path must be absolute ;zip File suffixes can be changed to other suffixes, such as picture suffixes ;# Conduct url Encoded as %23

zlib://、bzip2://

         Compressed flow , You can access sub files in a compressed file , Treat the contents of the sub file as php Code execution

         Not subject to allow_url_fopen、allow_url_include influence

         The file path has no absolute path limit ;zlib:// The protocol file is compressed to zip or gz Fine ,bzip2:// The protocol file is compressed to bz2; The suffix name can also be changed to other suffixes, such as picture suffixes

Utilization mode

         Include log files

        principle ：WEB The server usually saves the user's access records in the access log . Then we can according to the content recorded in the log , Carefully structured requests , hold PHP Insert the code into the log file , File Inclusion Vulnerability is used to execute... In the log PHP Code .

         Use conditions ：

                1、 The physical storage path of the log

                2、 There is a file containing vulnerability

                3、curl Command line url Request tools or burpsuit agent

         Log default path ：

        1. apache+Linux Log default path

                /etc/httpd/logs/access_log  

                /var/log/httpd/access_log
        2. apache+win2003 Log default path

                D:\xampp\apache\logs\access.log
                D:\xampp\apache\logs\error.log
        3. IIS6.0+win2003 Default log file

                C:\WINDOWS\system32\Logfiles
        4. IIS7.0+win2003 Default log file

                %SystemDrive%\inetpub\logs\LogFiles
        5. nginx Log files

                 The log file is in the user installation directory logs Under the table of contents
                 Take my installation path as an example /usr/local/nginx,
                 Then my log directory is /usr/local/nginx/logs in

        web Middleware default configuration

        1.apache+linux Default profile

                /etc/httpd/conf/httpd.conf
                index.php?page=/etc/init.d/httpd
        2.IIS6.0+win2003 The configuration file

                C:/Windows/system32/inetsrv/metabase.xml
        3.IIS7.0+WIN The configuration file

                C:\Windows\System32\inetsrv\config\applicationHost.config
        curl Construct a sentence , Write log file test record

         

D:\curl>curl -v "http://127.0.0.1/php/1.php?page=<?php @eval($_POST\[123\]);?>"  

        Contains uploaded files

        Include temporary files

        php Upload file in , Temporary files will be created . stay linux Next use /tmp Catalog , And in the windows Next use c:\winsdows\temp Catalog . Before the temporary file is deleted , Use the competition to include the temporary file .

         contain session

         You can include... First according to the attempt SESSION file , Looking for controllable variables according to the contents of the file , In the structure payload Insert into file , Finally, you can include .

Use conditions ：

• find Session Controllable variables in
• Session File read / write , And know the storage path

session Common storage paths ：

        /var/lib/php/sess_PHPSESSID
        /var/lib/php/sess_PHPSESSID
        /tmp/sess_PHPSESSID
        /tmp/sessions/sess_PHPSESSID
        session File format ： sess_[phpsessid] , and phpsessid At the end of the sent request cookie You can see... In the field .

         contain  /pros/self/environ

        principle ：proc/self/environ Will save user-agent head , If in user-agent Insert php Code , be php The code will be written to environ in , And then include it , that will do .

         Use conditions ：

        php With cgi Way to run , such environ To keep UA head .
        environ The file storage location is known , And environ Documents are readable .

c:\boot.ini //  Check the system version 

c:\XX\httpd.conf  Apache Configuration information 

c:\windows\system32\inetsrv\MetaBase.xml // IIS The configuration file 

c:\windows\repair\sam //  Storage Windows Password for initial installation of the system 

c:\ProgramFiles\mysql\my.ini // MySQL To configure 

c:\ProgramFiles\mysql\data\mysql\user.MYD // MySQL root password 

c:\windows\php.ini // php  Configuration information 

Linux/Unix

/etc/passwd  Account information 

/etc/shadow   Account password file 

/etc/httpd/conf/httpd.conf  Apache The configuration file 

/etc/my.conf  mysql  The configuration file 

/usr/local/app/apache2/conf/httpd.conf  Apache2 Default profile 

/usr/local/app/apache2/conf/extra/httpd-vhost.conf    Virtual site configuration 

/usr/local/app/php5/lib/php.ini PHP Related configuration 

  Bypass method

         Directory traversal （ Directory traversal ）

         Use ../../ To return to the previous directory , It is called directory traversal (Path Traversal).

        Code bypass

          The server side is often used for ../ Do some filtering , It can be bypassed with some coding .

        %00 truncation

         %00 Will be considered a Terminator , The following data will be directly ignored , Causes the extension to be truncated . An attacker can exploit this vulnerability to bypass extension filtering .

        Conditions ：magic_quotes_gpc=off                 PHP<5.3.4

         Path length truncation

         The operating system has a limit on the maximum path length . You can enter directories that exceed the maximum path length , In this way, the system will discard the subsequent path , Causes the extension to be truncated .

        Windows The maximum path of the directory 256B

        Linux The maximum path length of the directory is 4096B

        example ：filename=xiaohua.txt/./././././././././././././././././././././././././././././././././././.././

         Point truncation

         Point truncation applies to Windows System , When the length of the dot is greater than 256B when , The extension can be truncated .

         example ：?filename=xiaohua.txt................................................................................

         Unlimited remote files contain

         Unlimited remote file inclusion means that the location of the file is not the local server , But through URL Form contains files on other servers , Execute malicious code in the file .

         Limited remote files contain

         Limited remote file inclusion refers to the existence of a specific prefix or .php、.html Wait for extension filtering , Attackers only need to bypass prefix or extension filtering , To perform remote URL Malicious code in .

        1. The question mark goes around ： Add... After the filename "?" Number

        2.# The trumpet goes around ： Add... After the filename "%23"(# No. code ：%23)

        3. Space around ： Add a space after the file name ( Space encoding ：%20)