Web Hacking skills

Web Hacking skills

Introduction

This is the second article in web penetration exercises. You can search for the translation of the first article on our website and find it in this part, we will briefly introduce directory traversal and the Tips about crawler crawling key information on webpages.

Exercise 8 Directory Traversal

Figure: a simple web page for viewing article content

In this exercise, we need to open the PathTraversal directory, in the directory, index. php contains a simple method for submitting GET requests. This method can send the submitted GET requests to the server and then display the text content. When we click "View article", the following PHP code is triggered:

<?php//If the article GET parameter is setif (isset($_GET["article"])) {// Create a div block and fill it with the contents from the file in the GET value.    echo "<div id='article'>" . file_get_contents($_GET["article"]) . "</div>";}?>

 

The execution result is directed to this URL: http: // localhost/2/PathTraversal /? Article1_1.htm
 

The browser then loads this article according to the GET request. The parameters in this article are generated using the following code:

<select name="article" required=""></select>

Now, a valid user can directly call the request interface of this Code to view some valid articles. Of course, an attacker wants more than this. Compared with these legal articles, some configuration files on servers that do not want to be directly published are more attractive. Then, let's see if we can get these important data.

Our task
 

1. Return to a directory and open the openme.txt file by modifying the URL value.

2. The premise is that we can only access this directory through the local server (only from the browser. Of course, the actual situation is mostly like this), and we do not know what files are in this directory.

 

First, check whether the directory exists.

 

When we jump to the directory path, we find that this directory exists. At the same time, we can see that this directory is encrypted through HTTPAuth. Your task is to find out the user name and password in some way, but here we don't need the previous brute force cracking method.

Tips

If we already know that HTTPAuth encryption is used in the directory, we should naturally think of A. htaccess file on the server. Therefore, we can open this file to find some ingredients. But we cannot directly access files here, so we need to use some unconventional means-directory traversal. In the above description, we can see that the php file does not filter the file to be viewed. We can try to directly view the file using php.

In the address bar, enter http: // localhost/2/PathTraversal /? Article = config/. htaccess. We found that the file content can be exposed.

In this case, we can enter the userlist. htpasswd file name and storm all the usernames and passwords:

tomburrows:$apr1$ZF.78h2N$zhAaP2AY6VwxuELizJAwg.

The next step is to crack the ciphertext. HTTPAuth uses unix crypt (3) for one-way encryption. You can find the specific Decryption Method on the Internet.

Using directory traversal, We can find many useful files. For example, you can view the php. ini file to obtain some important configuration parameters.

 

A simple solution

<? Php // determine whether the GET parameter is set if (isset ($ _ GET ["article"]) {// set all "in the path ". the "/" symbol is all removed from the GET request, because this may cause directory traversal $ article = str_replace (array ("/",". ")," ", $ _ GET [" article "]); // if the file does not exist, a general error prompt if (! File_exists ($ article. ". htm") {echo "
The hosts file is accessed. The document format is as follows:
<atitle="Keyloggers: How They Work and More" href="http://resources.infosecinstitute.com/keyloggers-how-they-work-and-more/">Keyloggers:How They Work and More</a>
(We will find that many foreign personal websites or blogs are currently using this method to block some additional attack problems)
Then we will try again to check whether this function works.
When we input a non-existent file, we find another problem-php provides a warning, which directly causes information leakage.

To solve this problem, modify the php. ini configuration file to disable the display_errors parameter configuration.
When we access a non-existent file again, the error message will satisfy us. At the same time, this access function can also solve the problem of directory traversal.
 

TIPS:
In PHP earlier versions (≤5.5.3), we can modify the suffix "." To % 00 to bypass this suffix detection.
Php detection mechanism if (! File_exists ($ article. cmd.htm) can be cracked by the following code:
Http: // localhost/2/PathTraversal /? Articleappsaccounts.txt % 00
The htm in the “accounts.txt.htm file will be directly filtered out by the server due to the special characters % 00 and then bypass our filtering mechanism.
Tips for crawling personal information
We all know that in many cases we will use <a href = mailto: sample@sample.com> Mail Me! </A> insert a webpage in this format so that someone else can contact us. However, to some extent, this exposes our personal information, which may cause crawlers to crawl our personal emails and cause our emails to be full of spam. It is not very difficult to crawl the content.
Here is an example. I wrote a simple script file here, combined with https://meanpath.com/(Distributed crawler sites like Bell eye and shodan), you can get "mailto:" And <
Href = "tel: xxx-xxxx"> information about such keywords. Here, because of the MeanPath restriction, we only get 100 pieces of information.

 
Here, we can use regular expressions to match the email addresses containing special characters. For phone numbers, we only need to conform to the format of xxx-xxxx. At the same time, our code also needs to ensure that the content we crawl will not be repeated in the list.
Below is the part of our code (here the author gives a good site to search for existing code, which can simplify our work http://www.nerdydata.com ):
First, it is the first part of the code. In this part, we create a MeanPath class and then include a mine_elements () function, this function is used to put all the results searched by MeanPath in a group. Another function, filter_elements (), is used to pick out qualified data and ensure that no duplicate data exists:

The second part of the code. The display_data () function is used to display browser data. The save_data_to_file () function is used to save the data we picked as a file with random file names.

In this way, the mailbox information in the webpage is crawled.
In addition, we often use sample [at] sample [dot] com or sample [at] sample. com and other methods to "encrypt" to prevent crawlers is of little significance, and does not make our data much safer, because we only need to write a regular expression to replace and match it.