Shulou(Shulou.com)05/31 Report--

Today, I would like to share with you the document contains and PHP pseudo-protocol how to use the relevant knowledge points, detailed content, clear logic, I believe that most people still know too much about this knowledge, so share this article for your reference, I hope you can learn something after reading this article, let's take a look at it.

The file contains

File containing vulnerabilities is a kind of "code injection". The principle is to inject a script or code that the user can control and have the server execute it. A typical example of "code injection" is file inclusion.

To successfully exploit file inclusion vulnerabilities, the following two conditions need to be met:

Web applications use file inclusion functions such as include () to introduce files that need to be included by means of dynamic variables.

The user can control the dynamic variable.

Common functions that cause files to contain:

PHP:include (), include_once (), require (), require_once (), etc.

The 1.php file contains code that can be executed directly to include the file without any restrictions on the file format.

Four file containing functions are provided in php:

(1) Require: a fatal error (E_COMPILE_ERROR) is generated when the included file is not found, and the script is stopped

(2) Include: only one (E_warinng) will be generated when the included file cannot be found, and the script will continue to execute

(3) Require_once: similar to include, it generates a warning, except that if the file code is already included, it will not be included again.

PHP pseudo protocol

Php pseudo-protocol is actually the protocol and encapsulation protocol it supports. The protocols it supports are:

File://-access to the local file system php://-access to individual input / output streams (I streams) data://-data (RFC 2397) zip://-compressed streams

All_url_include is added after php 5.2.The safe and convenient setting (the default setting for php) is: allow_url_fopen=on;all_url_include=off

Allow_url_fopen = On (allows opening of URL files, enabled by default)

Allow_url_fopen = Off (disable opening of URL files)

Allow_url_include = Off (reference to URL files is prohibited, new features are added, default is turned off)

Allow_url_include = On (URL files are allowed to be referenced, the new version adds features)

File protocol

The file:// file system is the default encapsulation protocol used by PHP and represents the local file system.

Use the file:// protocol to include the local phpinfo.php

Http://localhost/www/lfi.php?file=file://F:\phpstudy\phpstudy_pro\WWW\www\phpinfo.php

PHP protocol

Php:// accesses individual input / output streams (I streams), and php://filter and php://input are often used in CTF

Php://filter is used to read the source code:

Php://input is used to execute php code.

Http://localhost/www/lfi.php?file=php://filter/read=convert.base64-encode/resource=./phpinfo.php

Php://filter needs base64 encoding when reading php files

Php://input

Allow_url_include = On

Php://input + [POST DATA] executes php code

Need * allow_url_include = On***

Http://localhost/www/lfi.php?file=php://inputPOST

Allow_url_include = Off

However, in most cases, allow_url_include is turned off by default

You cannot include POST data, in which case you can include apache logs or error logging

First of all, we need fuzz Dafa to blast out the path of the log.

For the convenience of testing, I first empty the contents of the log to facilitate the demonstration.

Visit the URL and write the code to the log by reporting an error

Note: use burp to grab packets to access here, otherwise the code will be written to the log by url encoding and cannot be executed.

You can also write code into user-agent

Http://localhost/www/lfi.php?file=

My log path is:

F:\ phpstudy\ phpstudy_pro\ Extensions\ Apache2.4.39\ logs\ access.log.1631750400

Using file:// pseudo-protocol to read the log, it is found that phpinfo has been successfully executed.

Http://localhost/www/lfi.php?file=file://F:\phpstudy\phpstudy_pro\Extensions\Apache2.4.39\logs\access.log.1631750400

Zip:// protocol

* * zip:// & bzip2:// & zlib:// * * all belong to the compressed stream, and you can access the sub-files in the compressed file. More importantly, you do not need to specify a suffix, but you can modify it to any suffix: jpg png gif xxx, etc.

Here is an analysis of a CTF case that combines file upload and file inclusion.

First analyze the source code of file upload

File:

After analyzing the source code, it is found that the file upload adopts the whitelist restriction strategy and can only be uploaded.

Files with four suffixes of "gif", "jpeg", "jpg" and "png".

Analyze the source code contained in the file

Tips: the parameter is file!:)

The analysis file contains the source code, and it is found that some pseudo protocols and truncation are limited, and the php suffix name is automatically added to the include, but there is no restriction on the zip pseudo protocol.

To sum up, we can find that using the zip pseudo-protocol in the file inclusion, we can create a compressed package of test.zip, in which there are test.php files.

Change the suffix name zip to the suffix name of png when uploading the file

Write Trojan horse in test.php

As shown in the following figure

After the picture is uploaded successfully, the file inclusion and zip:// protocol are used to read the test.php in the test.png. It is found that phpinfo () has been executed, indicating that the poc verification is successful.

Http://172.22.32.25:42715/include.php?file=zip://upload/test.png%23test

Data://

Conditions:

Allow_url_fopen:onallow_url_include: on

Visit the web site

Http://localhost/www/lfi.php?file=data://text/plain,

You can also use base64 coding to prevent the code from being filtered out

File=data://text/plain,base64;PD9waHAgcGhwaW5mbygpPz4=

These are all the contents of this article entitled "File inclusion and how to use PHP pseudo protocols". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.