0x01 危害说明
下载服务器任意文件,例如脚本代码、系统配置文件、等等可用的代码进行代码审计或是获取系统ssh进行登录、获取数据库账号密码进行连接等等
0x02 任意文件读取-利用与代码
0x02.1 例子一
0x02.1.1 代码
<?php
$filename = $_GET['file'];
readfile($filename);
?>
<?php
$filename = $_GET['file'];
$fp = fopen($filename,"r") or die("Unable to open file!");
$data = fread($fp,filesize($filename));
fclose($fp);
echo $data;
?>
<?php
$filename = $_GET['file'];
echo file_get_contents($filename);
?>
0x02.1.1 利用
打开: http://atest.test/download.php?file=./1.txt
0x02.2 例子二
0x02.2.1 代码
<?php
$filename = $_GET['file'];
copy($filename, 'xxx.txt');
?>
0x02.2.1 利用
打开: http://atest.test/test.php?file=./1.txt
打开完毕以后, copy() 函数会把数据复制到 xxx.txt 里面
打开: http://atest.test/xxx.txt
0x03 任意文件下载-利用与代码
0x03.1 利用代码
<?php
$filename = $_GET['file'];
header("Content-type:application/octet-stream");
header("Content-Disposition:attachment;filename=" . $filename);
header("Accept-ranges:bytes");
header("Accept-length:".filesize($filename));
readfile($filename);
?>
0x03.2 利用
打开: http://atest.test/download.php?file=./任意文件下载测试.txt
0x04 漏洞挖掘的方法
多多关注一些参数如下:
download.php?path=./../etc/passwd
download.php?Path=
download.php?path=
download.php?RealPath=
download.php?FilePath=
download.php?filepath=
download.php?inputFile=
download.php?url=
download.php?urls=
download.php?dir=
download.php?data=
download.php?readfile=
download.php?src=
等等....