Table of Contents
background
allow_url_fopen configuration item
allow_url_include configuration item
function
File contains
concept
DVWA
LOW
lab environment
Source code analysis
?edit
step
MEDIUM
Source code analysis
?edit
HIGH
Source code analysis
file protocol
concept
Format
The difference between a browser accessing files through file:// and http://
Notice
Background
allow_url_fopen configuration item
allow_url_fopen is a configuration option in PHP that determines whether PHP can open files through URL instead of local file path. Specifically, when allow_url_fopen is set to On, certain functions can be used to read or write remote files. When this configuration item is set to Off, it can only be used to operate local files.
allow_url_include configuration item
allow_url_include is a configuration directive of PHP, similar to allow_url_fopen, but the allow_url_include configuration is specifically for PHP’s include, include_once, require and require_once statements. When allow_url_include is set to On, PHP allows the inclusion and execution of PHP files from remote servers via URLs
The effectiveness of allow_url_include depends on the enable_url_fopen configuration item. Specifically, allow_url_include can only work when both allow_url_include and allow_url_fopen are enabled. If only the allow_url_include configuration item is enabled, the function of the allow_url_include configuration item cannot be exerted.
function
equire(): You can include files. If the inclusion is wrong, an error will be reported directly and the program will exit.
include(): If an error occurs during the inclusion process, a warning will be thrown and the program will continue to run normally.
require_once(): Similar to require, the difference is that when the same file is called repeatedly, the program only calls it once
include_once(): Similar to include, the difference is that when the same file is called repeatedly, the program only calls it once
File Contains
Concept
Program developers usually write reusable functions into a single file. When using certain functions, they directly call this file without writing it again. This process of calling files is generally called File inclusion.
File inclusion (vulnerability) means that when the server turns on the allow_url_include option, you can use url to dynamically include files through certain feature functions of PHP (include(), require() and include_once(), require_once()). If the source of the file is not strictly scrutinized, it will lead to arbitrary file reading or arbitrary command execution. File inclusion vulnerabilities are divided into local (LFI) and remote file inclusion (RFI) vulnerabilities. The remote one is because allow_url_fopen is turned on.
The PHP file inclusion vulnerability is an injection vulnerability
Injection vulnerabilities include XSS vulnerabilities and SQL injection vulnerabilities
PHP files contain code that can directly execute the included file
The included file formats are not restricted, as long as they can be executed normally
DVWA
LOW
Experimental Environment
The PHP fuction allow_url_include is not enabled will be displayed at the beginning.
Find the php.ini file in the root directory and change both allow_url_fopen=off and allow_url_include=off to on.
For specific reference, please refer to the solution for The PHP function allow_url_include is not enabled in DVWA Shooting Range File Inclusion – CSDN Blog
Source code analysis
Without any filtering, you can directly obtain the page parameters.
Use the GET method to receive the file path and include it. When the server includes a file, it will attempt to execute it as a PHP file, regardless of whether the file is a PHP file. If the file content is indeed a PHP file, it will be executed normally and the result will be returned. If not, the file content will be echoed to the web page, so file inclusion vulnerabilities often lead to arbitrary file reading and arbitrary command execution.
Step
The server expects the user to click on the following three links. The server will include the corresponding files and return the results.
When the server contains a file, regardless of whether the file suffix is php, it will try to be executed as a php file.
Click file1 and find that the page parameter value in the url is file1
You can try to use / to access the lower-level directory, and then construct a URL to access other files (relative path)
../../phpinfo.php
You can also create a txt file in the D drive (absolute path)
Try to upload local files in the url
Successfully output the contents of k.txt file
MEDIUM
Source code analysis
Added str_replace function to filter the page parameter. Replace http://, https:// with empty to prevent remote inclusion vulnerabilities, and replace ../ , ..\ is replaced with empty to prevent relative path access to files.
Just double-write the relative path to bypass it, such as…/./
Absolute paths are not affected
HIGH
Source code analysis
fnmatch function:
It is required that the beginning of the page parameter must be file, so that the server will include the corresponding file.
This limitation can be bypassed using the file protocol
file protocol
Concept
The File protocol is mainly used to access files on the local computer, just like opening files in Windows Explorer.
format
The file URI is of the form
file://host/path
file://machine’s IP address/directory/file. For example, to open the 111.png file in the images folder of drive D, you can type file://127.0.0.1/D in the resource manager or IE address bar: /images/111.png and press Enter.
If host is omitted, is treated as localhost, i.e. the computer from which the URL is interpreted. When the host is omitted, the slash is not omitted (“file:///abc.txt” is valid, “file://abc.txt” is not)
The structure of the URI is:
scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]
For local machines, the machine’s IP address can be changed to 127.0.0.1 or localhost or nothing.
No “/” symbol can be missing.
The difference between a browser accessing files through file:// and http://
The file protocol is used to access files in the local computer, just like opening a file through the resource manager. The main thing is that it is local-specific, that is, the file protocol is to access the file resources of your local computer.
HTTP access to local HTML files is equivalent to using this machine as an http server, and then accessing the local server on your own computer through localhost, and then accessing your local file resources through the http server.
file simply requests a local file and opens it as a static file that is not parsed by the server. HTTP builds a server locally and then dynamically parses the file through the server.
Other differences:
file protocol can only be accessed locally
After setting up an http server locally and opening the port, others can also access the files in your computer through http, but the file protocol cannot.
The file protocol corresponds to a remote access similar to http, which is the ftp protocol, which is the file transfer protocol.
The file protocol cannot achieve cross-domain
Note
file:/// must be followed by an absolute path