Shulou(Shulou.com)06/01 Report--

Editor to share with you big data in any file reading and download principle and repair example analysis, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article. Let's learn about it!

Read and download any file

Due to the business needs of some websites, it is often necessary to provide a module for reading or downloading files, but if there is no whitelist or restriction on reading or downloading, it may cause malicious attackers to read and download some sensitive information (etc/passwd, etc.) and make further attacks and threats to the server.

Principle

There are no restrictions on reading downloaded files

Vulnerability exploitation mode

Since we don't know the path of sensitive files, we can use.. / (return to the last directory) to guess in turn to make the exploit obscene.

For example

Index.php?a=../etc/passwd

Index.php?a= file:///etc/passwd

Note: if the file is parsed, the file is included, and if prompted to download or display the source code, the file is downloaded or read.

1. If the file is parsed, the file contains a vulnerability.

two。 If the source code is displayed, it is a file viewing vulnerability.

3. If it is prompted to download, it is a file download vulnerability.

The harm of the vulnerability:

Through any file download, you can download any file of the server, the code of the web service, the specific configuration information of the server and the system, the configuration information of the database, and the information detection of the intranet, and so on.

Generally speaking, the use of arbitrary file download vulnerabilities is mainly for information collection. Through downloading server configuration files, we get a large amount of configuration information and source code, thus further mining server vulnerabilities and invading according to the obtained information. Here are some download utilization files:

Windows:

C:\ boot.ini / / View the system version

C:\ Windows\ System32\ inetsrv\ MetaBase.xml / / IIS configuration file

C:\ Windows\ repair\ sam / / password for the first installation of the storage system

C:\ Program Files\ mysql\ my.ini / / Mysql configuration

C:\ Program Files\ mysql\ data\ mysql\ user.MYD / / Mysql root

C:\ Windows\ php.ini / / php configuration information

C:\ Windows\ my.ini / / Mysql configuration information

A basic system configuration file for C:\ Windows\ win.ini / / Windows system

Linux:

/ root/.ssh/authorized_keys

/ root/.ssh/id_rsa

/ root/.ssh/id_ras.keystore

/ root/.ssh/known_hosts / / record the public key of each user accessing the computer

/ etc/passwd

/ etc/shadow

/ etc/my.cnf / / mysql configuration file

/ etc/httpd/conf/httpd.conf / / apache configuration file

/ root/.bash_history / / user history command log file

/ root/.mysql_history / / mysql historical command record file

/ proc/mounts / / the recording system mounts the device

/ porc/config.gz / / Kernel configuration file

/ var/lib/mlocate/mlocate.db / / full file path

/ porc/self/cmdline / / the cmdline parameter of the current process

Actual combat

First of all, I came to this URL and found that there is a download function to click to view url.

Http://192.168.1.100/pikachu/pikachu-master/vul/unsafedownload/execdownload.php?filename=kb.png

Filename=xxx, try to download the 1.php file under my D drive.

Http://192.168.1.100/pikachu/pikachu-master/vul/unsafedownload/execdownload.php?filename=../../../../../../../1.php

Download it locally successfully and download other sensitive files in the same way

Detailed utilization of ideas

JSP site

Try to download the tomcat-users.xml file, which stores the account password for managing Tomcat. The file is located in the Tomcat installation directory / conf/tomcat-users.xml. After downloading the file, you can get the administrator account password, then log in to the management background and deploy the war package with Trojan files.

Aspx site

Aspx sites are usually backed by SQL Server databases, so the easiest way to exploit this vulnerability is to download the web.config file at the root of the site, which generally contains the user name and password of the database.

Asp site

General asp sites are Access database, and Access database can be downloaded directly, so the easier way to take advantage of this loophole is to download Access database directly, find the administrator password to log in to the background, and use the background upload function to upload shell. The first goal is to find the database file name and the path where it is stored. Find dynamic pages for website and database operations. Dynamic pages generally use include to contain configuration files that connect to the database. Generally speaking, the management background page of a website contains this information, so you can use any file download vulnerability to download the management background page, such as admin.asp/mamage.asp and so on. The path and file name of the database file are usually written in these files. Downloading database files directly may not be possible, because administrators generally impose restrictions on downloading mdb files directly, and you can use arbitrary file download vulnerabilities to download database files.

Php site

Php generally uses MySQL databases, while MySQL databases generally prohibit remote connections, but can be managed using phpMyAdmin. Agree, try to download the database connection file, conf/config.php, etc., after obtaining the database account password, if you have root permission, try to write a sentence to the Trojan horse directly if you know the absolute path to the website.

The purpose of downloading and reading is the same, to obtain sensitive information about the server.

Of course, there can be many uses, anyway, try to go through all the important configuration files and code, and infiltrate it as much as possible.

Repair scheme

1. Filter sensitive characters such as.. / so that users cannot trace back to the parent directory in url

two。 When downloading a file, the best way to determine the input path is that the file should correspond one to one in the database to avoid getting the file by entering an absolute path.

3.php.ini configuration open_basedir limits file access

The above is all the contents of this article entitled "sample Analysis of the principle and repair of Reading and downloading of any File in big data". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.