Exploiting and Correcting Path Traversal Vulnerability

会有一股神秘感。 提交于 2019-12-22 12:18:07

问题


I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available. Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?

Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...


回答1:


Sorry about the downvotes. Security is very important, and should be taught.

Do you pass in the file name to be used?

The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?

Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.




回答2:


To protect against this kind of vulnerability you are looking for something like this:

 String somedirectory = "c:/fixed_directory/";
 String file = request.getParameter("file");
 if(file.indexOf(".")>-1)
 {
   //if it contains a ., disallow
   out.print("stop trying to hack");
   return;
 }
 else
 {
   //load specified file and print to screen
    loadfile(somedirectory+file+".txt");
   ///.....
 }

If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal



来源:https://stackoverflow.com/questions/19504327/exploiting-and-correcting-path-traversal-vulnerability

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!