Many Web applications usually have the function of the file to the server read view, mostly used to submit parameters to indicate the file name Like: http://www.nuanyue.com/getfile=image.jgp
When the server processing the image sent. JPG file name, Web application that will automatically add the full path, like “d: / / site/images/image. JPG”, will read the contents of the returned to the visitors.
At first glance, this is just a simple process of file interaction, but since file names can be arbitrarily changed, the server supports “~/”, “.. / “and other special symbols of directory backtracking, so that the attacker unauthorized access or overwrite sensitive data, such as website configuration files, system core files, such a defect is named path traversal vulnerability. When you examine some regular Web applications, you often find something, but it’s relatively hidden.
Discovering path traversal Vulnerability Path traversal vulnerability is mainly detected on the function blocks of file reading interaction of Web applications. In the face of such reading modes:
"Http://www.nuanyue.com/test/downfile.jsp?filename=fan.pdf"Copy the codeWe can use “.. / “to test,
Such as: Url submission “getfile = / fan/fan / * 53 in PDF”, and the system in the parsing is “d: / / site/test/PDF/fan/fan /.. /.. / * 53. PDF “through”.. / “jump directory” /fan, that is, “D ://site/test/ PDF /*53.pdf”, returns a normal page for reading files.
The path traversal vulnerability is generally hidden in file reading or display picture function blocks such as file name submitted by parameter, from which it can be seen that filtering interactive data is completely necessary. A malicious attacker would then, of course, use read permissions on files for cross-directory access, such as access to controlled files, “.. /.. /.. /.. /.. /.. /.. The/etc/passwd “or”.. /.. /.. /.. /boot.ini “, of course, some websites now have similar protection equipment, as long as there is a file name such as /etc/boot. ini in the data directly intercept.
Traversal path attack variations Is common path traversal vulnerabilities in Web application writing process, will be conscious of passed parameters to filter or directly deleted, risky way of filtering, breakthrough in general can adopt the following methods: here are some of the ways to bypass, of course in the process of actual operation, can be combined.
(1) Data transmitted by encryption parameters;
Submit after the file name is encrypted by the Web application, for example: “downfile.jsp? Filename = ZmFuLnBkZg- “, filename is Base64 encrypted, and the attacker can bypass it by simply encrypting the filename and submitting it. So there are risks in using encryption that is regular or easily recognizable.
(2) Coding bypass,
Try filtering around using different encoding conversions, such as Url encoding, by urL-encoding the parameter “downfile.jsp? Filename = %66%61%6E%2E%70%64%66”
(3) directory qualification bypass;
Some Web applications are separated by restricting directory permissions. Of course, such a method is not desirable, attackers can use some special symbols “” to bypass. Submit “downfile.jsp? filename= /.. The/boot “. With such a symbol, you can jump directly to the hard disk directory.
(4) Bypass file suffix filtering;
Some Web applications detect the submitted file suffix before reading the file, and an attacker can bypass such file type checks by placing an empty byte encoding after the file name. For example:.. /.. /.. /.. /boot.ini%00.jpg, the Api used by the Web application will allow the string to contain null characters, when the actual file name, by the system Api will be directly truncated, and resolved to “.. /.. /.. /.. The/boot. Ini “. Url-encoded newlines can also be used on Unix-like systems, for example:.. /.. /.. /etc/passwd%0a.jpg If the file system is obtaining a file name that contains a newline character, the file is truncated to the file name. You can also try %20, for example:.. /.. /.. /index.jsp%20
(5) Bypass validation.
Http Referer: The Http Referer is part of the header, and when a browser sends a request to a Web server, it usually carries the Referer with it to tell the server what page I’m linking from
In some Web applications, there will be a method to judge the way of submitting parameters, and the bypass method can try to submit the Url in the website message or interaction place and click or directly modify the Http Referer, which is mainly because the Http Referer is sent by the client browser. The server is uncontrollable, and it is a mistake to treat this variable as a trusted source.
Defending against traversal path Vulnerability The most effective way to defend against traversal path vulnerability is to control permissions and prudently handle parameter paths passed to file system apis. This is mainly because most directories or file permissions have not been reasonably configured, and the reading of files by Web applications mostly depends on the API of the system itself. In the process of parameter transfer, if there is no strict control, the phenomenon of overauthorization will appear. In this case, Web applications can take the following defensive approaches, preferably in combination.
(1) Data purification, hard coding or unified coding of file names submitted by website users, whitelist control of file suffixes, and rejection of malicious symbols or empty bytes.
(2) Web applications can use the CHCRP environment to access directories containing the files to be accessed, or use the absolute path + parameter to control access to directories so that they are in the specified directory even if they are unauthorized or cross directories.
conclusion
Path traversal vulnerabilities allow a malicious attacker breakthrough of the Web application security control, direct access to the attacker to sensitive data, including configuration files, log, source code, etc., in combination with other comprehensive utilization, the vulnerability of the attackers can easily obtain a higher authority, and the holes on the excavation is also very easy, As long as the Web application read and write function block directly manual detection, judging by the returned page content, is very intuitive, relatively simple to use.
There’s also a directory traversal that’s caused by this web server being misconfigured
index of /
We can directly use Baidu syntax to find this form of directory traversal vulnerability
intitle:index of 
