Phith0n · 2014/10/30 wilt thou

0 x00 background


This estimate many students looked at the disdain, think is rotten street things:

Htaccess files constitute a PHP backdoor

So I’ll make a new one:.user.ini. Htaccess is more widely used than.htaccess and can be used on nginx/ Apache /IIS, as long as PHP is running with FastCGI. My Nginx server is all FPM /fastcgi, MY IIS PHP5.3 above all use fastCGI/CGI, I win apache also use FCGI, it can be said that very wide, unlike.htaccess has limitations.

0x01 .user.ini


So what is.user.ini?

It starts with php.ini. Php.ini is the default PHP configuration file. It contains many PHP configurations, including PHP_INI_SYSTEM, PHP_INI_PERDIR, PHP_INI_ALL, and PHP_INI_USER. You can view it here: php.net/manual/zh/i… What is the difference between these modes? Look at the official explanation:

Configuration items with mode PHP_INI_USER can be set in the ini_set() function, in the registry, and in.user.ini. This is.user.ini, so what is this configuration file? So here’s the official document:

In addition to the main php.ini, PHP scans ini files in each directory, starting at the directory where the PHP file is being executed and working its way up to the Web root (as specified by $_SERVER[‘DOCUMENT_ROOT’]). If the PHP file being executed is outside the Web root directory, only that directory is scanned.

Only INI Settings with PHP_INI_PERDIR and PHP_INI_USER modes are recognized in.user.ini style INI files.

This makes it clear that.user.ini is actually a php.ini that can be “customized” by the user. The Settings we can customize are the Settings for mode “PHP_INI_PERDIR, PHP_INI_USER”. (PHP_INI_PERDIR, not mentioned in the table above, can also be set in.user.ini.)

In fact, all modes except PHP_INI_SYSTEM (including PHP_INI_ALL) can be set via.user.ini.

Also, unlike php.ini,.user.ini is an INI file that can be loaded dynamically. This means that after I modify.user.ini, I do not need to restart the server middleware, but just wait for the time set by user_ini.cache_TTL (300 seconds by default) to be reloaded.

Then we looked at the configuration items in php.ini. Unfortunately, I was dismayed to find that any configuration items that were even slightly sensitive were in PHP_INI_SYSTEM mode (even php.ini only). The value can be DISABLE_functions, extension_DIR, and enabLE_DL. However, we can easily construct a “back door” with the help of the.user.ini file.

There are two interesting Php configuration items (first and fourth below) :

Auto_append_file = auto_prepend_file

Specify a file that is automatically included before the file to be executed, similar to calling require() before the file. Auto_append_file is similar, except that it is included at the end of the file. To use it, you can write it directly in.user.ini:

auto_prepend_file=01.gif
Copy the code

01.gif is the file to include.

So with.user.ini you can easily make all PHP files “automatically” contain a file, which can be a normal PHP file or a webshell containing a single sentence.

To test it, I tested it on IIS6.0+Fastcgi+PHP5.3 and nginx+ FPM +PHP5.3 respectively. Ini, and 01.gif containing webshell, and the normal PHP file echo.php:

Access echo.php to see the backdoor:

Same with Nginx:

So, we can obscene to think about, in what circumstances can use this posture? For example, if a website doesn’t allow you to upload.php files, you can upload a.user.ini file and then upload an image horse to include in the getShell. If the folder containing.user.ini contains a normal PHP file, it will not be included. For example, if you just want to hide a back door, this is the most convenient way.

0x02 References:


  • Php.net/manual/zh/i…
  • Php.net/manual/zh/c…
  • Php.net/manual/zh/c…
  • Php.net/manual/zh/c…