An in-depth analysis of PHP file inclusion vulnerabilities

This article brings you relevant knowledge about PHP, which mainly introduces issues related to file inclusion vulnerabilities. The cause of file inclusion vulnerabilities is when files are introduced through PHP functions. Because the incoming file name has not been properly verified, unexpected files have been manipulated. I hope this helps everyone.

## Recommended study: "

PHP Video Tutorial"

Vulnerability Description

File The reason for the inclusion vulnerability is that when a file is introduced through a PHP function, the incoming file name is not properly verified, and thus unexpected files are manipulated, which may lead to unexpected file leaks or even malicious code injection.

The following four functions usually cause file inclusion vulnerabilities in PHP:
1. When include() is used to include a file, the file is included only when the code is executed to the include() function, and an error occurs. Only a warning is given and execution continues.
2. The function of include_once() is the same as include(). The difference is that when the same file is called repeatedly, the program only calls it once.
3. require() will call the file immediately as soon as the program is executed. When an error occurs, an error message will be output and the script will be terminated
4. require_once() has the same function as require(), the difference is The reason is that when the same file is called repeatedly, the program only calls it once.

Hazards of Vulnerability

An attacker can use this vulnerability to read arbitrary files and obtain sensitive information on the server.

Vulnerability affects version

The existence of this vulnerability has nothing to do with the version

Vulnerability analysis

In giving When PHP sends a POST packet, if the packet contains a file block, regardless of whether the code you access has logic for processing file uploads, PHP will save the file into a temporary file (usually /tmp/php[6 random characters]), the file name can be found in the $_FILES variable. This temporary file will be deleted after the request is completed.

At the same time, because the phpinfo page will print out all variables in the current request context, if we send a data packet containing the file block to the phpinfo page, we can find the contents of the $_FILES variable in the return packet. Naturally Also contains temporary file names.
When a file inclusion vulnerability cannot find an exploitable file, you can use this method to find the temporary file name and then include it.
However, the file inclusion vulnerability page and the phpinfo page are usually two pages. In theory, we need to send the data packet to the phpinfo page first, then match the temporary file name from the return page, and then send this file name to the file inclusion vulnerability page. , perform getshell. At the end of the first request, the temporary file is deleted, and the second request naturally cannot be included.
At this time, conditional competition needs to be used. The specific process is as follows:
1) Send the upload data packet containing the webshell to phpinfo. The header, get and other positions of this data packet must be filled with junk data.
2) phpinfo will print out all the data at this time, and the garbage data will make phpinfo very large.
3) PHP's default buffer size is 4096, that is, PHP returns 4096 bytes to the socket connection each time.
4) Therefore, we directly operate the native socket and read 4096 bytes each time. As long as the characters read contain the temporary file name, the second data packet will be sent immediately.
5) At this time, the socket connection of the first data packet has not ended yet, but PHP continues to output 4096 bytes each time, so the temporary file has not been deleted.
6) We can use this time difference to successfully include the temporary file and finally getshell.

Environment setup

Start docker:
1. service start docker
   
Execute in the path where the docker-compose.yml file is located:
2. docker-compose build
   docker-compose up -d
   
   

Vulnerability Recurrence

Visit http://your-ip:8080/phpinfo.php , you can see that the phpinfo page
1. 
   2 appears on the page. Then visit http://your-ip:8080/lfi.php?file=/etc/passwd, and you can see that the page has a file inclusion vulnerability. .
   POC verification: Usage: python3 PHP file contains vulnerability_poc.py --target-url http://192.168.60.244:8080
   
   
##Fix Suggestions

Set a whitelist.

Recommended learning: "

PHP Video Tutorial

"

The above is the detailed content of An in-depth analysis of PHP file inclusion vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!