论PHP常见漏洞第二弹:常见的包含漏洞
包含一般也就分为LFI、RFI,即local file inclusion和remote file inclusion
LFI
对于LFI的话,因为很多都限制了包含的后缀结尾必须为.php, Include ($a.'.php') 例如这种的。
所以我们想包含我们的图片马儿的话,那么就需要截断后面的这.php
-
00截断。需要gpc off && php
-
长文件名截断。反正这个我很少成功。
-
转换字符集造成的截断。这个对包含的话基本用不上。
还有一些cms限制包含的后缀必须为.php,例如下面一段简单的代码
$include_file=$_GET[include_file];if ( isset( $include_file ) && strtolower( substr( $include_file, -4 ) ) == ".php" ) { require( $include_file ); }对传递过来的截取了后面4个字符,然后判断是不是“.php”,如果是“.php”才进行包含。这里可以用zip(或者phar)协议嘛(当然这个也是找laterain学的,哈哈)。
首先新建一个1.php,里面随便写个phpinfo吧,
然后压缩成.zip,接着把zip的名字改成 yu.jpg。
然后把这个.jpg上传上去 然后包含:
对于一些LFI找不到上传图片的地方的话,也有很多牛发过了一些不能上传图片LFI的技巧,各种包含日志、环境变量啥的,这里我就也不多说了。
RFI
下面再来说RFI。
如果能RFI的话,那么就是最方便的了。包含远程文件,或者又是 php://input data 啥的,各种伪协议。
但是也都知道RFI最大的限制条件就是需要 allow_url_include on 且“变量前未定义路径”或者“常量”。
而 Allow_url_include 默认都是off,那么无论是 allow_url_include on 还是“变量前无路径”或者“常量”,那都是RFI的硬伤。
这里介绍一种在allow_url_include off的情况下也能rfi的技巧,但是成功率也并不太高。
首先在php.ini里看一下 allow_url_include :
; Whether to allow include/require to open URLs (like http:// or ftp://) as files.allow_url_include = Off
翻译过来就是,允许包含url,例如 http:// 、 ftp:// 之类的协议。当off的时候肯定就是不允许去包含这样的协议。
这里我们先来测试一下:
<?phpinclude($_GET[yu]);
首先 allow_url_include && allow_url_fopen 都为on的时候
成功RFI。
然后 allow_url_include 为 on,allow_url_fopen 为off
直接包含远程文件失败。这时候我们用一下伪协议试试。
再次成功rfi。
当allow_url_include && allow_url_fopen 为off的时候。
伪协议失败。
而包含文件的方式:
URL file-access is disabled in the server configuration ,说明也不允许包含。
然而,肯定还有不少人记得很久以前的那个星外无可执行目录的时候,利用远程调用cmd继续提权。
那个利用的是共享文件,然后在星外主机上来执行。
那么这里我们也试试:
包含共享文件成功!这里只本地测试了,没具体测试远程。但是由于445的原因 可能基本都失败。
转载自: http://drops.wooyun.org/papers/4544 ,在原文基础上有简单整理修改。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Alipay PHP SDK transfer error: How to solve the problem of 'Cannot declare class SignData'?
Apr 01, 2025 am 07:21 AM
Alipay PHP...
How does session hijacking work and how can you mitigate it in PHP?
Apr 06, 2025 am 12:02 AM
Session hijacking can be achieved through the following steps: 1. Obtain the session ID, 2. Use the session ID, 3. Keep the session active. The methods to prevent session hijacking in PHP include: 1. Use the session_regenerate_id() function to regenerate the session ID, 2. Store session data through the database, 3. Ensure that all session data is transmitted through HTTPS.
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
Describe the SOLID principles and how they apply to PHP development.
Apr 03, 2025 am 12:04 AM
The application of SOLID principle in PHP development includes: 1. Single responsibility principle (SRP): Each class is responsible for only one function. 2. Open and close principle (OCP): Changes are achieved through extension rather than modification. 3. Lisch's Substitution Principle (LSP): Subclasses can replace base classes without affecting program accuracy. 4. Interface isolation principle (ISP): Use fine-grained interfaces to avoid dependencies and unused methods. 5. Dependency inversion principle (DIP): High and low-level modules rely on abstraction and are implemented through dependency injection.
How to debug CLI mode in PHPStorm?
Apr 01, 2025 pm 02:57 PM
How to debug CLI mode in PHPStorm? When developing with PHPStorm, sometimes we need to debug PHP in command line interface (CLI) mode...
How to automatically set permissions of unixsocket after system restart?
Mar 31, 2025 pm 11:54 PM
How to automatically set the permissions of unixsocket after the system restarts. Every time the system restarts, we need to execute the following command to modify the permissions of unixsocket: sudo...
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
How to send a POST request containing JSON data using PHP's cURL library?
Apr 01, 2025 pm 03:12 PM
Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...
