用于rfi的安全过滤器

Well I look a little about rfi and php security and found this include code in dvwa:

<?php
    $file = $_GET['page']; //The page we wish to display 
    // Only allow include.php
    if ( $file != "include.php" ) {
        echo "ERROR: File not found!";
                echo "$file";
        exit;
    }
    include($file);

?>

Well i dont understand why this code its not secure. I talked with some security peoples and they say this code its not secure and I shouldn't use it. I know that its beter to turn of the include option, but i think this fiter can't be passed.

I try a lot of comman attacks, and non of them pass it. I will be glad to hear your opinions

dongzongzi0379
dongzongzi0379 好吧,有些诗人需要阅读具体的事情,不要忽视你。关于这个我将不会在这里开放的“安全论坛”,我有很多话要说。我开始认为我正在寻找的是通常的知识。
6 年多之前 回复
douyou2234
douyou2234 只是为了完整性:在Security.SE上帮助将远程文件包含在DamnVulnerableWebApplication中。
6 年多之前 回复

2个回答



正如我在对你关于Security.SE的问题发表评论,我对DWVA高层次挑战的印象我已经看过了 远远就是他们应该是安全的。 关于高级别挑战的可利用性还存在其他问题(特别是SQL注入:#1 #2 #3 并且统一意见倾向于不可利用。</ p>

高级文件包含挑战,你的代码来自哪里,同样是:</ p>

include </ code> 只有在条件 $ file!=“include.php”</ code>未满足时才会到达,否则 exit </ code>将终止运行时。 由于 $ file </ code>的值取自 $ _ GET ['page'] </ code>,因此它是一个字符串(例如,?page = foo </ code>) ,一个数组(例如,?page [foo] = bar </ code>),或 null </ code>(例如,只有?page </ code>或完全缺失)。< / p>

现在让我们看看比较这些类型时会发生什么情况与字符串 :</ p>


  • 数组永远不等同于字符串</ li>
  • null </ code>仅等效于空字符串</ li>
  • 一个字符串只相当于另一个字符串,如果它由相同的字节序列组成,i。 例如,字符串值是相同的</ li>
    </ ul>

    因此,如果</ code>是?page = include,那么通过此的唯一方法。 php </ code>,否则 include </ code>将无法访问,因为 if </ code>条件为。</ p>
    </ div>

展开原文

原文

As I have already said in a comment to your question on Security.SE, my impression of the high level challenges of DWVA that I have seen so far is that they are supposed to be safe. There have been other questions about the exploitability of high level challenges (especially the SQL injection: #1, #2, #3) and the unified opinion tends to non-exploitable.

The high level file inclusion challenge, where your code is taken from, is likewise:

include only gets reached if the condition $file != "include.php" is not fulfilled as otherwise exit will terminate the runtime. Since $file’s value is taken from $_GET['page'], it is a string (e. g., ?page=foo), an array (e. g., ?page[foo]=bar), or null (e. g., only ?page or missing entirely).

Now let’s see what happens when comparing these types with a string:

  • an array is never equivalent to a string
  • null is only equivalent an empty string
  • a string is only equivalent to another string if it is composed of the same sequence of bytes, i. e., the string values are identical

So the only way to get past this if is ?page=include.php as otherwise the include would not be reached due to the positive if condition.

douluanzhao6689
douluanzhao6689 感谢您的帮助:-)
6 年多之前 回复
duanchi4544
duanchi4544 PHP代码仍将被解释为文件名。
6 年多之前 回复
dongzhen7108
dongzhen7108 那么,如果我们将PHP代码添加到文件名会发生什么? 它会被执行?
6 年多之前 回复

This is very safe except you are echoing the file without htmlentities() thus there is an XSS flaw.

POC : mywebsite.com/script_name.php?page=<script>alert('XSS')</script>

Another way to do it is :

<?php
    $whitelist = array('include.php','some_other_file.php','another.php');
    $file = $_GET['page']; //The page we wish to display 

    if (!in_array($file, $whitelist)){
        header("Location: /");
    }
    include($file);

?>

Even the "file not found" thing is too much, if someone tries to mess up with your application you must tell him as less as possible.

Personally I would simply redirect to your homepage using php header() function.

doukang2003
doukang2003 即使没有存储XSS也是一个真正的威胁。 可以从服务器向大众用户共享特制链接。
6 年多之前 回复
dongquanyu5816
dongquanyu5816 感谢replie,你是对的它不解决xss但xss不会得到商店:-)
6 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐