3 Directory traversal目录遍历攻击

In this section, we’ll explain what directory traversal is, describe how to carry out path traversal attacks and circumvent common obstacles, and spell out how to prevent path traversal vulnerabilities. 如何实施路径遍历攻击，规避常见障碍，以及如何防范路径遍历漏洞

一、What

What is directory traversal?

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
目录遍历(也称为文件路径遍历)是一个web安全漏洞，允许攻击者读取正在运行应用程序的服务器上的任意文件。这可能包括应用程序代码和数据、后端系统的凭据和敏感的操作系统文件。在某些情况下，攻击者可能会写入服务器上的任意文件，从而允许他们修改应用程序数据或行为，并最终完全控制服务器。

二、通过目录遍历读取任意文件

Reading arbitrary files via directory traversal

1. Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:
   <img src="/loadImage?filename=218.png">

2. The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:
   loadImage URL使用filename参数，并返回指定文件的内容。 映像文件本身存储在磁盘上的/ var / www / images /位置。 为了返回图像，应用程序将请求的文件名附加到此基本目录，并使用文件系统API读取文件的内容。 在上述情况下，应用程序将从以下文件路径读取：/var/www/images/218.png

3. The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:应用程序没有实现针对目录遍历攻击的防御，因此攻击者可以请求以下URL从服务器的文件系统中检索任意文件https://insecure-website.com/loadImage?filename=../../../etc/passwd

4. This causes the application to read from the following file path:/var/www/images/../../../etc/passwd

5. The sequence ../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is:
   顺序../在文件路径中有效，表示在目录结构中上一级。 三个连续的../序列从/ var / www / images /升至文件系统根目录，因此实际读取的文件为：/etc/passwd

6. On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server.在基于unix的操作系统上，这是一个标准文件，包含在服务器上注册的用户的详细信息。
   / 反斜杠 Windows上表示目录
   \ 正斜杠 除法

7. On Windows, both ../ and ..\ are valid directory traversal sequences, and an equivalent attack to retrieve a standard operating system file would be是有效的目录遍历序列，而检索标准操作系统文件的等效攻击将是:https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

Lab: File path traversal, simple case

This lab contains a file path traversal vulnerability in the display of product images.

To solve the lab, retrieve the contents of the /etc/passwd file.

1. Use Burp Suite to intercept and modify a request that fetches a product image. 拦截 获取 请求
2. Modify the filename parameter, giving it the value ../../../etc/passwd.
3. Observe that the response contains the contents of the /etc/passwd file.

三、利用文件路径遍历漏洞的常见障碍

Common obstacles to exploiting file path traversal vulnerabilities

1. Many applications that place user input into file paths implement some kind of defense against path traversal attacks, and these can often be circumvented.许多将用户输入放置到文件路径中的应用程序实现了某种形式的路径遍历攻击防御，这些攻击通常可以被绕过。

2. If an application strips or blocks directory traversal sequences 遍历顺序from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques.使用各种技术绕过防御。

3. You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences. 您可能可以使用文件系统根目录中的绝对路径（例如filename = / etc / passwd）直接引用文件，而无需使用任何遍历序列。

4. You might be able to use nested traversal sequences, such as …// or …/, which will revert to simple traversal sequences when the inner sequence is stripped. 您可能可以使用嵌套的遍历序列，例如… //或… \ /，当内部序列被剥离时，它们将还原为简单的遍历序列。

5. You might be able to use various non-standard encodings, such as …%c0%af or …%252f, to bypass the input filter. 您可能能够使用各种非标准编码，例如…% c0%af或. .%252f，以绕过输入滤波器

6. If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example:如果应用程序要求用户提供的文件名必须以所需的基本文件夹（例如/ var / www / images）开头，则可以包括所需的基本文件夹，后跟适当的遍历序列。 例如：filename=/var/www/images/../../../etc/passwd

7. If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. For example:如果应用程序要求用户提供的文件名必须以预期的文件扩展名结尾，例如.png，那么可以使用空字节在所需的扩展名之前有效地终止文件路径。例如 filename=../../../etc/passwd%00.png

Lab: File path traversal, traversal sequences blocked with absolute path bypass

文件路径遍历，通过绝对路径绕过阻塞的遍历序列

This lab contains a file path traversal vulnerability in the display of product images.

The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.

To solve the lab, retrieve the contents of the /etc/passwd file. 该应用程序阻止遍历序列，但将提供的文件名视为相对于默认工作目录的文件名。

要解决此问题，请检索/ etc / passwd文件的内容

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value /etc/passwd.
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, traversal sequences stripped non-recursively

文件路径遍历，遍历序列非递归剥离

This lab contains a file path traversal vulnerability in the display of product images.

The application strips path traversal sequences from the user-supplied filename before using it.在使用用户提供的文件名之前，应用程序将从该文件名中剥离路径遍历序列。

To solve the lab, retrieve the contents of the /etc/passwd file.

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value: ....//....//....//etc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, traversal sequences stripped with superfluous URL-decode文件路径遍历，遍历序列剥离多余的url解码

This lab contains a file path traversal vulnerability in the display of product images.

The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

To solve the lab, retrieve the contents of the /etc/passwd file. 该应用程序阻止包含路径遍历序列的输入。 然后，它会在使用输入之前执行URL解码。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value ..%252f..%252f..%252fetc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, validation of start of path

This lab contains a file path traversal vulnerability in the display of product images.

The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.

To solve the lab, retrieve the contents of the /etc/passwd file. 应用程序通过请求参数传输完整的文件路径，并验证提供的路径是否以预期的文件夹开头。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value /var/www/images/../../../etc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, validation of file extension with null byte bypass

文件路径遍历，用空字节绕过验证文件扩展名

This lab contains a file path traversal vulnerability in the display of product images.

The application validates that the supplied filename ends with the expected file extension.

To solve the lab, retrieve the contents of the /etc/passwd file. 应用程序验证提供的文件名是否以所需的文件扩展名结尾。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value ../../../etc/passwd%00.png
3. Observe that the response contains the contents of the /etc/passwd file.

四、如何防止目录遍历攻击How to prevent a directory traversal attack

1.The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. 防止文件路径遍历漏洞的最有效方法是避免将用户提供的输入全部传递给文件系统api
2. Many application functions that do this can be rewritten to deliver the same behavior in a safer way.可以重写许多这样做的应用程序函数，以以更安全的方式交付相同的行为。

1. If it is considered unavoidable to pass user-supplied input to filesystem APIs, then two layers of defense should be used together to prevent attacks:如果认为将用户提供的输入传递给文件系统api是不可避免的，那么应该同时使用两层防御来防止攻击

• The application should validate the user input before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters.应用程序应该在处理用户输入之前验证用户输入。理想情况下，验证应该与允许值的白名单进行比较。如果这对于所需的功能是不可能的，那么验证应该验证输入只包含允许的内容，比如纯字母数字字符。
• After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.验证所提供的输入后，应用程序应该将输入附加到基目录，并使用平台文件系统API来规范化路径。它应该验证规范化的路径是从预期的基目录开始的。

Below is an example of some simple Java code to validate the canonical path of a file based on user input:下面是一个简单的Java代码示例，用于根据用户输入验证文件的规范路径

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {// process file
}

3 Directory traversal相关推荐

1. 聊聊directory traversal attack

   序 本文主要研究一下directory traversal attack及其防范 directory traversal attack 又称Path Traversal attack,即目录遍历攻击, ...

2. Directory traversal in Spring framework漏洞修复

   Directory traversal in Spring framework 提示CSS.JS 等静态文件有问题需要提升Spring的版本问题,根据官方问题解释4.1.x必须升级到4.1.2及以上版 ...

3. 【常见Web应用安全问题】---4、Directory traversal

   Web应用程序的安全性问题依其存在的形势划分,种类繁多,这里不准备介绍所有的,只介绍常见的一些.  常见Web应用安全问题安全性问题的列表: 1.跨站脚本攻击(CSS or XSS, Cross Si ...

4. 目录遍历（Directory traversal）

   笔者burpsuite的在线安全学院的目录遍历学习笔记.限于本人水平,笔记质量不是很高,假如有看到的大佬轻喷,很多地方是Google翻译的. 文章目录 什么是目录遍历? 通过目录遍历读取任意文件 La ...

5. burpsuit 靶场(Directory traversal)

   文件路径遍历,简单案例 ../../../../etc/passwd 文件路径遍历,绕过绝对路径阻塞的遍历序列 ../../../../etc/passwd 绝对路径可以执行 /etc/passwd ...

6. Python: Monitoring a Directory

   2019独角兽企业重金招聘Python工程师标准>>> Basic mtime + checksum + directory traversal Code #!/usr/bin/en ...

7. Django源码分析5:session会话中间件分析

   django源码分析 本文环境python3.5.2,django1.10.x系列 1.这次分析django框架中的会话中间件. 2.会话保持是目前框架都支持的一个功能,因为http是无状态协议,无法 ...

8. 目录/文件攻击防范策略研究

   目录 0x1:目录穿越攻击 0x2:远程文件引入攻击 0x3:防范的方法 目录穿越攻击 目录穿越(Directory Traversal)攻击是黑客能够在Web应用程序所在的根目录以外的文件夹上,任意 ...

9. Zip Slip目录遍历漏洞已影响多个Java项目

   \ 看新闻很累?看技术新闻更累?试试下载InfoQ手机客户端,每天上下班路上听新闻,有趣还有料! \ \\ 近日,专注于开源及云安全监控防范工作的 Snyk 公司披露了一种可能会造成任意文件被覆写的安 ...

最新文章

1. 下推自动机详讲 包含Java实现 Pushdown Automata （PDA）
2. 集成学习(ensemble learning)(二)
3. 路飞学城Python-Day9
4. mysql_ping与mysql长连接
5. JFinal整合CKFinder
6. Unity（创建脚本）
7. java 创建数组工具类_用Java创建数组工具类ArrayTool
8. B站举办2019年度UP主颁奖：破圈、多元、跨界成全年关键词
9. 嘿，来打游戏！中国电竞人才缺口达50万
10. mysql gis index 索引原理_从原理到优化，深入浅出数据库索引
11. 利用mfc项目opengl旋转正方形_C++学习之路：适合C++新手的练手项目，高薪之路必备项目...
12. 概率论笔记3.1二维随机变量及其函数分布
13. 修改Win7硬盘分区盘符出现“虚拟磁盘管理器-参数错误”
14. vue3 setup语法糖下父组件调用子组件的方法
15. 【通信原理】学习笔记----理解信道
16. C Primer Plus 第五章 编程练习
17. docker启动mysql闪退问题
18. 《程序员》7期精彩内容导读：寻找技术领袖
19. 公务员中综合管理类和行政执法类有啥区别
20. 4. 写第一篇博客，最好的时间是今日，今时，今刻

热门文章

1. 测序数据分析之OTU
2. Python-修改图片分辨率
3. OpenGL底层实现原理
4. C++_基础1.1初识——Hellow world
5. win10安装winmerge 启动出错
6. Linux下进入PostgresSQL数据库有哪些比较常用的操作命令
7. 2011 imac 固态_iMac (21.5 英寸, 2011 年中) - 技术规格
8. 如何在iPhone上关闭“请勿打扰”
9. 迪文串口屏幕通信问题
10. KafkaController机制（六）：Zookeeper Listener之TopicDeletionManager与DeleteTopicsListener