PHP 5.2.0对Remote include的影响

Published on 2006 - 11 - 03
    <a href="http://www.php.net/ChangeLog-5.php#5.2.0">http://www.php.net/ChangeLog-5.php#5.2.0</a>
    <br />Added allow_url_include ini directive to complement allow_url_fopen. (Rasmus) <br /><br />也就是说,远程包含文件漏洞,或者是后门,变的很难奏效了。<br />不过同样有两种方式绕过。<br /><br />一个是:<br /><div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee"><span style="COLOR: #0000ff">include</span><span style="COLOR: #000000"> (</span><span style="COLOR: #000000">"</span><span style="COLOR: #000000">php://input</span><span style="COLOR: #000000">"</span><span style="COLOR: #000000">);</span></div><br />另一种方式只在5.2.0版本以上才支持:<br /><div style="BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 4px; FONT-SIZE: 13px; PADDING-BOTTOM: 4px; BORDER-LEFT: #cccccc 1px solid; WIDTH: 98%; WORD-BREAK: break-all; PADDING-TOP: 4px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeeeee"><span style="COLOR: #0000ff">include</span><span style="COLOR: #000000"> (</span><span style="COLOR: #000000">"</span><span style="COLOR: #000000">data:;base64,PD9waHAgcGhwaW5mbygpOz8+</span><span style="COLOR: #000000">"</span><span style="COLOR: #000000">); </span><span style="COLOR: #008000">//</span><span style="COLOR: #008000">phpinfo()</span></div><br />Refence:<br /><a href="http://cn.php.net/manual/en/wrappers.data.php">http://cn.php.net/manual/en/wrappers.data.php</a><br /><a href="http://www.faqs.org/rfcs/rfc2397">http://www.faqs.org/rfcs/rfc2397</a>
Comments
Write a Comment