先好好審題:
根目錄下面有key.txt文件,我們需要想辦法訪問它
漏洞查詢:https://www.anquanke.com/vul/id/1124864
漏洞細節:
1 DETAILS 2 ------- 3 The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server). 4 5 ; jail our php environment to project_dir 6 php-docroot = %(project_dir) 7 8 During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application. 9 10 uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/ 11 12 An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below: 13 14 http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
大致意思是“..%2f”可以造成目錄遍歷漏洞,上面他也舉例了
嘗試用他的例子查看返回什么內容:
結果返回not Found
可能是..%2f(/的url編碼)太多了,刪除一個,發現返回內容:
那么把etc/password修改成key.txt就可以訪問該目錄下的key了:
