Shulou(Shulou.com)05/31 Report--

This article mainly introduces the PHP file contains which vulnerabilities related knowledge, the content is detailed and easy to understand, the operation is simple and fast, has a certain reference value, I believe that you read this PHP file contains what vulnerabilities article will have a harvest, let's take a look.

Vulnerability description

The cause of the file inclusion vulnerability is that when the file is introduced through the function of PHP, the incoming file name has not been reasonably verified, thus manipulating the file beyond the expectation, which may lead to unexpected file disclosure or even malicious code injection.

The following four functions are usually the ones that cause vulnerabilities in PHP files:

1. Include () when using this function to include a file, the file is included only when the code is executed to the include () function. When an error occurs, it only gives a warning and continues to execute.

2. The function of include_once () is the same as that of include (), except that when the same file is called repeatedly, the program is called only once.

3. Require () immediately calls the file as soon as the program is executed, outputs the error message when an error occurs, and terminates the script

4. Require_once () has the same function as require (), except that when the same file is called repeatedly, the program is called only once.

Vulnerability hazard

An attacker can exploit this vulnerability to read arbitrary files and obtain server sensitive information.

Vulnerability affects version

The existence of this vulnerability is independent of version

Loophole analysis

When sending a POST packet to PHP, if the packet contains a file block, PHP will save the file as a temporary file (usually / tmp/php [6 random characters]) whether or not there is logic in the code you access to handle file upload, and the file name can be found in the $_ FILES variable. This temporary file will be deleted after the request is completed.

At the same time, because the phpinfo page prints all the variables in the context of the current request, if we send a packet containing the file block to the phpinfo page, we can find the contents of the $_ FILES variable in the return package, which naturally contains the temporary file name.

When a file contains a vulnerability and cannot find a file that can be exploited, you can use this method to find a temporary file name and then include it.

But the file contains vulnerabilities and the phpinfo page is usually two pages. In theory, we need to send a packet to the phpinfo page, then match the temporary file name from the returned page, and then send the file name to the file containing vulnerability page for getshell. At the end of the first request, the temporary file is deleted and the second request cannot be included.

At this time, conditional competition is needed, and the specific process is as follows:

1) send an uploaded packet containing webshell to phpinfo. The header,get and other locations of this packet must be filled with junk data.

2) phpinfo will print out all the data at this time, and the junk data in it will make the phpinfo very large.

3) the default buffer size of PHP is 4096, that is, PHP returns 4096 bytes to the socket connection at a time.

4) so, we directly manipulate the native socket, reading 4096 bytes at a time, and immediately send a second packet as long as the read character contains a temporary file name.

5) at this point, the socket connection to the first packet has not actually ended, but PHP continues to output 4096 bytes at a time, so the temporary file has not been deleted.

6) We can take advantage of this time difference to successfully include temporary files and finally getshell.

Environment building

Start docker:

Service start docker

Execute in the path where the docker-compose.yml file is located:

Docker-compose build

Docker-compose up-d

Loophole recurrence

Visit http://your-ip:8080/phpinfo.php and you can see that the phpinfo page appears on the page

two。 When you visit http://your-ip:8080/lfi.php?file=/etc/passwd, you can see that there is a file inclusion vulnerability in the page.

POC authentication:

How to use: python3 PHP file contains vulnerability _ poc.py-- target-url http://192.168.60.244:8080

Repair suggestion

Set up a whitelist.

This is the end of the article on "what vulnerabilities are contained in the PHP file". Thank you for reading! I believe you all have a certain understanding of the knowledge of "what loopholes are contained in PHP files". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.