Directory Traversal
192.168.203.128/test/mlbl.php?path=/
path
Parameter input instructions implement directory traversal
An environmental vulnerability
Website to download the file, the file is stored in the server, site scripting exploit code to go back to the page of this catalog file is displayed, if no relevant verification, it will produce a directory traversal vulnerability
Breakthrough way (Gangster article https://www.cnblogs.com/s0ky1xd/p/5823685.html ):
- Data encryption parameters passed
re-submitted after the Web application to encrypt the file name, for example:downfile.jsp?filename= ZmFuLnBkZg-
using the filename parameter is a Base64 encrypted, an attacker in order to get around, simply encrypt the file name will then submit additional It can be. So, use some regular or encryption can be easily identified, it is also at risk. - Encoding bypassing
try different transcoding bypassing the filter of such coding Url, submitted by Url encoding parameters,downfile.jsp?filename= %66%61%6E%2E%70%64%66
to bypass. - Directory Restricting bypass
some Web applications are limited by the directory permissions to separate. Of course, this method is not desirable worth attacker some special symbols can~
be bypassed. Such a submission of the formdownfile.jsp?filename=~/../boot
. Able to live such a symbol, you can jump directly to a hard disk directory. - Bypassing the file extension filter
of some Web applications before reading the file, the file extension will be submitted for testing, the attacker can put a null byte code in the file name, file types to bypass such checks.
For example:../../../../boot.ini%00.jpg
, Web application uses Api will allow the string contains null characters, when actually get the file name, by the system of Api directly truncated, and resolves to../../../../boot.ini
.
Url encoded may also be used in Unix-line feed system, for example:../../../etc/passwd%0a.jpg
if the file system containing the file name acquired in a line break, the file name will be truncated. You can also try 20%, for example:../../../index.jsp%20
- Bypassing the origin verification
Http Referer: HTTP Referer is part of the header, and when the browser sends a request to the web server, usually bring Referer, I tell the server which page the link is coming from
Another directory traversal
misconfigured web server
index of /
Search Syntax Search Directory Traversal Vulnerability
intitle:index of
Just study notes, will be supplemented if necessary after the content is not perfect