In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)05/31 Report--
Today, I would like to share with you the document contains and PHP pseudo-protocol how to use the relevant knowledge points, detailed content, clear logic, I believe that most people still know too much about this knowledge, so share this article for your reference, I hope you can learn something after reading this article, let's take a look at it.
The file contains
File containing vulnerabilities is a kind of "code injection". The principle is to inject a script or code that the user can control and have the server execute it. A typical example of "code injection" is file inclusion.
To successfully exploit file inclusion vulnerabilities, the following two conditions need to be met:
Web applications use file inclusion functions such as include () to introduce files that need to be included by means of dynamic variables.
The user can control the dynamic variable.
Common functions that cause files to contain:
PHP:include (), include_once (), require (), require_once (), etc.
The 1.php file contains code that can be executed directly to include the file without any restrictions on the file format.
Four file containing functions are provided in php:
(1) Require: a fatal error (E_COMPILE_ERROR) is generated when the included file is not found, and the script is stopped
(2) Include: only one (E_warinng) will be generated when the included file cannot be found, and the script will continue to execute
(3) Require_once: similar to include, it generates a warning, except that if the file code is already included, it will not be included again.
PHP pseudo protocol
Php pseudo-protocol is actually the protocol and encapsulation protocol it supports. The protocols it supports are:
File://-access to the local file system php://-access to individual input / output streams (I streams) data://-data (RFC 2397) zip://-compressed streams
All_url_include is added after php 5.2.The safe and convenient setting (the default setting for php) is: allow_url_fopen=on;all_url_include=off
Allow_url_fopen = On (allows opening of URL files, enabled by default)
Allow_url_fopen = Off (disable opening of URL files)
Allow_url_include = Off (reference to URL files is prohibited, new features are added, default is turned off)
Allow_url_include = On (URL files are allowed to be referenced, the new version adds features)
File protocol
The file:// file system is the default encapsulation protocol used by PHP and represents the local file system.
Use the file:// protocol to include the local phpinfo.php
Http://localhost/www/lfi.php?file=file://F:\phpstudy\phpstudy_pro\WWW\www\phpinfo.php
PHP protocol
Php:// accesses individual input / output streams (I streams), and php://filter and php://input are often used in CTF
Php://filter is used to read the source code:
Php://input is used to execute php code.
Http://localhost/www/lfi.php?file=php://filter/read=convert.base64-encode/resource=./phpinfo.php
Php://filter needs base64 encoding when reading php files
Php://input
Allow_url_include = On
Php://input + [POST DATA] executes php code
Need * allow_url_include = On***
Http://localhost/www/lfi.php?file=php://inputPOST
Allow_url_include = Off
However, in most cases, allow_url_include is turned off by default
You cannot include POST data, in which case you can include apache logs or error logging
First of all, we need fuzz Dafa to blast out the path of the log.
For the convenience of testing, I first empty the contents of the log to facilitate the demonstration.
Visit the URL and write the code to the log by reporting an error
Note: use burp to grab packets to access here, otherwise the code will be written to the log by url encoding and cannot be executed.
You can also write code into user-agent
Http://localhost/www/lfi.php?file=
My log path is:
F:\ phpstudy\ phpstudy_pro\ Extensions\ Apache2.4.39\ logs\ access.log.1631750400
Using file:// pseudo-protocol to read the log, it is found that phpinfo has been successfully executed.
Http://localhost/www/lfi.php?file=file://F:\phpstudy\phpstudy_pro\Extensions\Apache2.4.39\logs\access.log.1631750400
Zip:// protocol
* * zip:// & bzip2:// & zlib:// * * all belong to the compressed stream, and you can access the sub-files in the compressed file. More importantly, you do not need to specify a suffix, but you can modify it to any suffix: jpg png gif xxx, etc.
Here is an analysis of a CTF case that combines file upload and file inclusion.
First analyze the source code of file upload
File:
After analyzing the source code, it is found that the file upload adopts the whitelist restriction strategy and can only be uploaded.
Files with four suffixes of "gif", "jpeg", "jpg" and "png".
Analyze the source code contained in the file
Tips: the parameter is file!:)
The analysis file contains the source code, and it is found that some pseudo protocols and truncation are limited, and the php suffix name is automatically added to the include, but there is no restriction on the zip pseudo protocol.
To sum up, we can find that using the zip pseudo-protocol in the file inclusion, we can create a compressed package of test.zip, in which there are test.php files.
Change the suffix name zip to the suffix name of png when uploading the file
Write Trojan horse in test.php
As shown in the following figure
After the picture is uploaded successfully, the file inclusion and zip:// protocol are used to read the test.php in the test.png. It is found that phpinfo () has been executed, indicating that the poc verification is successful.
Http://172.22.32.25:42715/include.php?file=zip://upload/test.png%23test
Data://
Conditions:
Allow_url_fopen:onallow_url_include: on
Visit the web site
Http://localhost/www/lfi.php?file=data://text/plain,
You can also use base64 coding to prevent the code from being filtered out
File=data://text/plain,base64;PD9waHAgcGhwaW5mbygpPz4=
These are all the contents of this article entitled "File inclusion and how to use PHP pseudo protocols". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.