验证Web服务器中的路径遍历漏洞 [英] Verify path traversal vulnerability in web server

问题描述

我想验证我的Web应用程序没有路径遍历漏洞.

I want to verify that my web application does not have a path traversal vulnerability.

我正试图为此使用curl，

$ curl -v http://www.example.com/directory/../

我希望对/directory/../ URL显式发出HTTP请求，以测试涉及代理的特定nginx规则不易受到路径遍历的影响.即，我希望发送此HTTP请求:

I would like the HTTP request to be explicitly made to the /directory/../ URL, to test that a specific nginx rule involving proxy is not vulnerable to path traversal. I.e., I would like this HTTP request to be sent:

> GET /directory/../ HTTP/1.1

但是curl正在重写有关/ URL的请求，如输出所示:

But curl is rewriting the request as to the / URL, as can be seen in the output:

* Rebuilt URL to: http://www.example.com/
(...)
> GET / HTTP/1.1

是否可以使用curl进行此测试，强制其在请求中传递确切的URL?如果没有，什么合适的方法呢?

Is it possible to use curl for this test, forcing it to pass the exact URL in the request? If not, what would be an appropriate way?

推荐答案

您要查找的curl标志是curl --path-as-is.

The curl flag you are looking for is curl --path-as-is .

这篇关于验证Web服务器中的路径遍历漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！