How to reproduce arbitrary file download vulnerability in Webug shooting range

Brief description of the vulnerability:

Due to business needs, some websites may provide file viewing or downloading functions. If there are no restrictions on the files that users can view or download, then malicious users can You can view or download some sensitive files, such as configuration information, source code files, etc.

Cause of vulnerability:

There is a function to read files

Read The path of the file is user-controllable and has not been verified or the verification is not strict

The file content is output

Vulnerability hazard:

Download arbitrary files from the server , such as script code, services and system configuration files, etc., to further use the obtained information to cause greater harm.

The obtained code can be further audited to obtain more exploitable vulnerabilities

Experimental environment: webug shooting range

Homepage

BP packet capture

We change the path of the url to and send it to the repeater module

Read the code under the repeater module send

Put the package and see if it can be downloaded

Download it and audit it

Found a path

Download it using the above method

Find dbConn.php, front There is also a DATAPATH

This may be a folder name

Let’s try it

No response, there must be no such folder

Changed to data

and found dbConfig.php

Download

Discover database password

The above is the detailed content of How to reproduce arbitrary file download vulnerability in Webug shooting range. For more information, please follow other related articles on the PHP Chinese website!