快捷導(dǎo)航

java代碼審計(jì)之目錄遍歷的解決

更新時(shí)間：2024年06月23日 09:44:27 作者：樂隊(duì)1

目錄穿越漏洞,也叫做目錄遍歷/路徑遍歷漏洞,本文主要介紹了java代碼審計(jì)之目錄遍歷的解決,文中通過案例介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,需要的朋友們下面隨著小編來(lái)一起學(xué)習(xí)學(xué)習(xí)吧

1 原理介紹

通過用戶輸入，后端接收到參數(shù)直接拼接到指定路徑下讀取用戶指定的文件名，看似正常，但實(shí)際用戶輸入的參數(shù)不可控，黑客將非法的特殊字符作為文件名的一部分，操作到其他路徑下，甚至是跳轉(zhuǎn)到服務(wù)器敏感目錄，讀取敏感的配置文件，例如服務(wù)器的密碼文件，程序的數(shù)據(jù)庫(kù)，redie等核心配置文件，因此具有一定的風(fēng)險(xiǎn)性。

2 審計(jì)案例1

用戶通過form表單輸入文件名稱，通過源碼逐層未對(duì)該文件名進(jìn)行非法字符的過濾與處理，導(dǎo)致任意

文件讀取（目錄遍歷）漏洞的產(chǎn)生。

（1）正常的用戶行為是輸入要讀取的合法文件

（2）黑客利用未過濾文件名或目錄的漏洞讀取了其他目錄下的資源文件

通過遍歷該目錄或上級(jí)路徑下的其他文件，例如

3 審計(jì)案例2

1、當(dāng)輸入文件名為../1.txt（上次目錄需要存在），不存在一直../知道存在位置

2、提交之后發(fā)現(xiàn)成功下載到當(dāng)前目錄外的目錄文件

3、源碼分析

通過用戶輸入文件名之后，后端直接接收了文件名拼接到需要讀取的路徑下，進(jìn)而讀取了文件，未對(duì)來(lái)自前端用戶輸入的文件名稱針對(duì)非法字符過濾

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<form action="/file1/directroyTranersal02" method="get">
<input type="text" name="filename"/>
<input type="submit" value="uploaddown"/>
</form>
</body>
</html>

//目錄遍歷2
    @GetMapping("/directroyTranersal02")
    public void directoryTraversal02(HttpServletRequest request, HttpServletResponse response) throws IOException {
        //獲取項(xiàng)目部署絕對(duì)路徑下的upload文件夾路徑,下載upload目錄下面的文件
//        String root = request.getServletContext().getRealPath("/upload");
        String root = "D:\\20230222files";
        //獲取文件名
        String filename = request.getParameter("filename");
        File file = new File(root + "/" + filename);
        //根據(jù)文件路徑創(chuàng)建輸入流
        FileInputStream fis = new FileInputStream(file);
        //設(shè)置響應(yīng)頭,彈出下載框
        response.addHeader("Content-Disposition", "attachment;filename=" + new String(filename.getBytes()));
        response.addHeader("Content-Length", "" + file.length());
        byte[] b = new byte[fis.available()];
        fis.read(b);
        response.getOutputStream().write(b);
    }

通過源碼分析，獲取到文件名中含有../，當(dāng)執(zhí)行下載邏輯的時(shí),file類底層將會(huì)訪問該路徑讀取資源

如同人工通過瀏覽器讀取文件E:\java_project\FileUpload\src\main\webapp\upload..\1.txt

4 審計(jì)案例3-任意的文件寫入

保存模板的后端程序用到dirs字段數(shù)據(jù)，猜測(cè)此字段輸入數(shù)據(jù)可控來(lái)進(jìn)行文件路徑的重新定位且沒有字符串進(jìn)行過濾驗(yàn)證以及擴(kuò)展名也沒有任何限制

隨后對(duì)該API請(qǐng)求的路徑以及數(shù)據(jù)流進(jìn)行追蹤，發(fā)現(xiàn)依然是模板新增或編輯頁(yè)面為用戶輸入的關(guān)鍵位置。

1、打開模板目錄下的，對(duì)404.html進(jìn)行提交

2、burpsuit抓包之后修改請(qǐng)求，將dirs的制前邊添加..%2F..%2F..%2F,修改文件名后綴為.jsp，同時(shí)也可以在file_content添加payload

但是不知什么原因沒有成功

5 修復(fù)方案

1、凈化數(shù)據(jù)：對(duì)用戶傳過來(lái)的文件名參數(shù)進(jìn)行硬編碼或統(tǒng)一編碼，對(duì)文件類型進(jìn)行白名單控制，對(duì)包含惡意字符或者空字符的參數(shù)進(jìn)行拒絕。

主要的惡意字符包括不局限于如

..
..\
../
%2e%2e%2f which translates to ../
%2e%2e/ which translates to ../
..%2f which translates to ../
%2e%2e%5c which translates to ..\
%c1%1c
%c0%9v
 %c0%af
..%5c../
../../../../../../../../../../../../etc/hosts%00
../../../../../../../../../../../../etc/hosts
../../boot.ini
/../../../../../../../../%2A
../../../../../../../../../../../../etc/passwd%00
../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/shadow%00
../../../../../../../../../../../../etc/shadow20 /../../../../../../../../../../etc/passwd^^
/../../../../../../../../../../etc/shadow^^
/../../../../../../../../../../etc/passwd
/../../../../../../../../../../etc/shadow
/./././././././././././etc/passwd
/./././././././././././etc/shadow
\..\..\..\..\..\..\..\..\..\..\etc\passwd
\..\..\..\..\..\..\..\..\..\..\etc\shadow
..\..\..\..\..\..\..\..\..\..\etc\passwd
..\..\..\..\..\..\..\..\..\..\etc\shadow
/..\../..\../..\../..\../..\../..\../etc/passwd
/..\../..\../..\../..\../..\../..\../etc/shadow
.\\./.\\./.\\./.\\./.\\./.\\./etc/passwd
.\\./.\\./.\\./.\\./.\\./.\\./etc/shadow
\..\..\..\..\..\..\..\..\..\..\etc\passwd%00
\..\..\..\..\..\..\..\..\..\..\etc\shadow%00
..\..\..\..\..\..\..\..\..\..\etc\passwd%00
..\..\..\..\..\..\..\..\..\..\etc\shadow%00
%0a/bin/cat%20/etc/passwd
%0a/bin/cat%20/etc/shadow
%00/etc/passwd%00
%00/etc/shadow%00
%00../../../../../../etc/passwd
%00../../../../../../etc/shadow
/../../../../../../../../../../../etc/passwd%00.jpg
/../../../../../../../../../../../etc/passwd%00.html
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/passwd
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../etc/shadow
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c.
.%25%5c..%25%5c..%25%5c..%00
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c
..%25%5c..%25%5c..%25%5c..%00
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c.
.%25%5c..% 25%5c..%25%5c..%00
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c.
.%25%5c..% 25%5c..%25%5c..%255cboot.ini
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c
..%25%5c..%25%5c..%25%5c..winnt/desktop.ini
\\&apos;/bin/cat%20/etc/passwd\\&apos;
\\&apos;/bin/cat%20/etc/shadow\\&apos;
../../../../../../../../conf/server.xml
/../../../../../../../../bin/id|
C:/inetpub/wwwroot/global.asa
C:\inetpub\wwwroot\global.asa
C:/boot.ini
C:\boot.ini
../../../../../../../../../../../../localstart.asp%00
../../../../../../../../../../../../localstart.asp
../../../../../../../../../../../../boot.ini%00
../../../../../../../../../../../../boot.ini
/./././././././././././boot.ini
/../../../../../../../../../../../boot.ini%00
/../../../../../../../../../../../boot.ini
/..\../..\../..\../..\../..\../..\../boot.ini
/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini
\..\..\..\..\..\..\..\..\..\..\boot.ini
..\..\..\..\..\..\..\..\..\..\boot.ini%00
..\..\..\..\..\..\..\..\..\..\boot.ini
/../../../../../../../../../../../boot.ini%00.html
/../../../../../../../../../../../boot.ini%00.jpg
/.../.../.../.../.../
..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%af../boot.ini
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/boot.ini

2、 web應(yīng)用程序可以使用chroot環(huán)境包含被訪問的web目錄，或者使用絕對(duì)路徑+參數(shù)來(lái)訪問文件目錄，時(shí)使其即使越權(quán)也在訪問目錄之內(nèi)。www目錄就是一個(gè)chroot應(yīng)用. 由chroot創(chuàng)造出的那個(gè)根目錄，叫做“chroot監(jiān)獄”（所謂"監(jiān)獄"就是指通過chroot機(jī)制來(lái)更改某個(gè)進(jìn)程所能看到的根目錄，即將某進(jìn)程限制在指定目錄中，保證該進(jìn)程只能對(duì)該目錄及其子目錄的文件有所動(dòng)作，從而保證整個(gè)服務(wù)器的安全，詳細(xì)具體chroot的用法，可參考：chroot用法詳解

3、 任意文件下載漏洞也有可能是web所采用的中間件的版本低而導(dǎo)致問題的產(chǎn)生，例如ibm的

websphere的任意文件下載漏洞，需更新其中間件的版本可修復(fù)。

4、要下載的文件地址保存至數(shù)據(jù)庫(kù)中。

5、文件路徑保存至數(shù)據(jù)庫(kù)，讓用戶提交文件對(duì)應(yīng)ID下載文件。

6、用戶下載文件之前需要進(jìn)行權(quán)限判斷。

7、文件放在web無(wú)法直接訪問的目錄下。

8、不允許提供目錄遍歷服務(wù)。

9、公開文件可放置在web應(yīng)用程序下載目錄中通過鏈接進(jìn)行下載。

到此這篇關(guān)于java代碼審計(jì)之目錄遍歷的解決的文章就介紹到這了,更多相關(guān)java代碼審計(jì)目錄遍歷內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: