开发和纠正路径遍历漏洞 [英] Exploiting and Correcting Path Traversal Vulnerability
问题描述
我有一个在Tomcat上运行的Java Web App,应该在其上利用Path遍历漏洞. (在应用程序中)有一个部分,我可以在其中上传.zip文件,该文件将解压缩到服务器的/tmp目录中. .zip文件的内容未被检查,因此基本上我可以在其中放置任何内容.我尝试将.jsp文件放入其中,并且可以完美提取.我的问题是我不知道如何以正常"用户的身份从浏览器访问此文件.我尝试在地址栏中输入../../../tmp/somepage.jsp,但是Tomcat只是剥离了../并给了我http://localhost:8080/tmp/资源不可用.
理想的情况是,如果可以某种方式在somepage.jsp的路径中编码../,以便将其提取到Web App的Web riot目录中.这可能吗?提取后是否可能有任何转义序列会转换为../?
I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available.
Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?
任何想法都会受到高度赞赏.
注意:这是安全"课程中的一个学校项目,我应该在其中找到漏洞并予以纠正.不试图伤害任何人...
Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...
推荐答案
对不起.安全性非常重要,应该加以教导.
Sorry about the downvotes. Security is very important, and should be taught.
您传递要使用的文件名吗?
Do you pass in the file name to be used?
检查服务器的工作可能类似于If location starts with "/tmp" then allow it.因此,您要做的就是传递`/tmp/../home/webapp/?
The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?
另一个想法是看看您是否可以制作一个zip文件来导致内容上移-就像您在zip文件名中设置"../"一样,会发生什么?如果您的zip工具不允许,您可能需要手动修改内容.
Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.
这篇关于开发和纠正路径遍历漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
