3 Directory traversal

3 Directory traversal目录遍历攻击

In this section, we’ll explain what directory traversal is, describe how to carry out path traversal attacks and circumvent common obstacles, and spell out how to prevent path traversal vulnerabilities. 如何实施路径遍历攻击，规避常见障碍，以及如何防范路径遍历漏洞

一、What

What is directory traversal?

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.
目录遍历(也称为文件路径遍历)是一个web安全漏洞，允许攻击者读取正在运行应用程序的服务器上的任意文件。这可能包括应用程序代码和数据、后端系统的凭据和敏感的操作系统文件。在某些情况下，攻击者可能会写入服务器上的任意文件，从而允许他们修改应用程序数据或行为，并最终完全控制服务器。

二、通过目录遍历读取任意文件

Reading arbitrary files via directory traversal

1. Consider a shopping application that displays images of items for sale. Images are loaded via some HTML like the following:
   <img src="/loadImage?filename=218.png">

2. The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/. To return an image, the application appends the requested filename to this base directory and uses a filesystem API to read the contents of the file. In the above case, the application reads from the following file path:
   loadImage URL使用filename参数，并返回指定文件的内容。 映像文件本身存储在磁盘上的/ var / www / images /位置。 为了返回图像，应用程序将请求的文件名附加到此基本目录，并使用文件系统API读取文件的内容。 在上述情况下，应用程序将从以下文件路径读取：/var/www/images/218.png

3. The application implements no defenses against directory traversal attacks, so an attacker can request the following URL to retrieve an arbitrary file from the server’s filesystem:应用程序没有实现针对目录遍历攻击的防御，因此攻击者可以请求以下URL从服务器的文件系统中检索任意文件https://insecure-website.com/loadImage?filename=../../../etc/passwd

4. This causes the application to read from the following file path:/var/www/images/../../../etc/passwd

5. The sequence ../ is valid within a file path, and means to step up one level in the directory structure. The three consecutive ../ sequences step up from /var/www/images/ to the filesystem root, and so the file that is actually read is:
   顺序../在文件路径中有效，表示在目录结构中上一级。 三个连续的../序列从/ var / www / images /升至文件系统根目录，因此实际读取的文件为：/etc/passwd

6. On Unix-based operating systems, this is a standard file containing details of the users that are registered on the server.在基于unix的操作系统上，这是一个标准文件，包含在服务器上注册的用户的详细信息。
   / 反斜杠 Windows上表示目录
   \ 正斜杠 除法

7. On Windows, both ../ and ..\ are valid directory traversal sequences, and an equivalent attack to retrieve a standard operating system file would be是有效的目录遍历序列，而检索标准操作系统文件的等效攻击将是:https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini

Lab: File path traversal, simple case

This lab contains a file path traversal vulnerability in the display of product images.

To solve the lab, retrieve the contents of the /etc/passwd file.

1. Use Burp Suite to intercept and modify a request that fetches a product image. 拦截 获取 请求
2. Modify the filename parameter, giving it the value ../../../etc/passwd.
3. Observe that the response contains the contents of the /etc/passwd file.

三、利用文件路径遍历漏洞的常见障碍

Common obstacles to exploiting file path traversal vulnerabilities

1. Many applications that place user input into file paths implement some kind of defense against path traversal attacks, and these can often be circumvented.许多将用户输入放置到文件路径中的应用程序实现了某种形式的路径遍历攻击防御，这些攻击通常可以被绕过。

2. If an application strips or blocks directory traversal sequences 遍历顺序from the user-supplied filename, then it might be possible to bypass the defense using a variety of techniques.使用各种技术绕过防御。

3. You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences. 您可能可以使用文件系统根目录中的绝对路径（例如filename = / etc / passwd）直接引用文件，而无需使用任何遍历序列。

4. You might be able to use nested traversal sequences, such as …// or …/, which will revert to simple traversal sequences when the inner sequence is stripped. 您可能可以使用嵌套的遍历序列，例如… //或… \ /，当内部序列被剥离时，它们将还原为简单的遍历序列。

5. You might be able to use various non-standard encodings, such as …%c0%af or …%252f, to bypass the input filter. 您可能能够使用各种非标准编码，例如…% c0%af或. .%252f，以绕过输入滤波器

6. If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example:如果应用程序要求用户提供的文件名必须以所需的基本文件夹（例如/ var / www / images）开头，则可以包括所需的基本文件夹，后跟适当的遍历序列。 例如：filename=/var/www/images/../../../etc/passwd

7. If an application requires that the user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension. For example:如果应用程序要求用户提供的文件名必须以预期的文件扩展名结尾，例如.png，那么可以使用空字节在所需的扩展名之前有效地终止文件路径。例如 filename=../../../etc/passwd%00.png

Lab: File path traversal, traversal sequences blocked with absolute path bypass

文件路径遍历，通过绝对路径绕过阻塞的遍历序列

This lab contains a file path traversal vulnerability in the display of product images.

The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.

To solve the lab, retrieve the contents of the /etc/passwd file. 该应用程序阻止遍历序列，但将提供的文件名视为相对于默认工作目录的文件名。

要解决此问题，请检索/ etc / passwd文件的内容

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value /etc/passwd.
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, traversal sequences stripped non-recursively

文件路径遍历，遍历序列非递归剥离

This lab contains a file path traversal vulnerability in the display of product images.

The application strips path traversal sequences from the user-supplied filename before using it.在使用用户提供的文件名之前，应用程序将从该文件名中剥离路径遍历序列。

To solve the lab, retrieve the contents of the /etc/passwd file.

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value: ....//....//....//etc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, traversal sequences stripped with superfluous URL-decode文件路径遍历，遍历序列剥离多余的url解码

This lab contains a file path traversal vulnerability in the display of product images.

The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

To solve the lab, retrieve the contents of the /etc/passwd file. 该应用程序阻止包含路径遍历序列的输入。 然后，它会在使用输入之前执行URL解码。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value ..%252f..%252f..%252fetc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, validation of start of path

This lab contains a file path traversal vulnerability in the display of product images.

The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.

To solve the lab, retrieve the contents of the /etc/passwd file. 应用程序通过请求参数传输完整的文件路径，并验证提供的路径是否以预期的文件夹开头。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value /var/www/images/../../../etc/passwd
3. Observe that the response contains the contents of the /etc/passwd file.

Lab: File path traversal, validation of file extension with null byte bypass

文件路径遍历，用空字节绕过验证文件扩展名

This lab contains a file path traversal vulnerability in the display of product images.

The application validates that the supplied filename ends with the expected file extension.

To solve the lab, retrieve the contents of the /etc/passwd file. 应用程序验证提供的文件名是否以所需的文件扩展名结尾。

要解决此问题，请检索/ etc / passwd文件的内容。

1. Use Burp Suite to intercept and modify a request that fetches a product image.
2. Modify the filename parameter, giving it the value ../../../etc/passwd%00.png
3. Observe that the response contains the contents of the /etc/passwd file.

四、如何防止目录遍历攻击How to prevent a directory traversal attack

1.The most effective way to prevent file path traversal vulnerabilities is to avoid passing user-supplied input to filesystem APIs altogether. 防止文件路径遍历漏洞的最有效方法是避免将用户提供的输入全部传递给文件系统api
2. Many application functions that do this can be rewritten to deliver the same behavior in a safer way.可以重写许多这样做的应用程序函数，以以更安全的方式交付相同的行为。

3. If it is considered unavoidable to pass user-supplied input to filesystem APIs, then two layers of defense should be used together to prevent attacks:如果认为将用户提供的输入传递给文件系统api是不可避免的，那么应该同时使用两层防御来防止攻击

• The application should validate the user input before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters.应用程序应该在处理用户输入之前验证用户输入。理想情况下，验证应该与允许值的白名单进行比较。如果这对于所需的功能是不可能的，那么验证应该验证输入只包含允许的内容，比如纯字母数字字符。
• After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.验证所提供的输入后，应用程序应该将输入附加到基目录，并使用平台文件系统API来规范化路径。它应该验证规范化的路径是从预期的基目录开始的。

Below is an example of some simple Java code to validate the canonical path of a file based on user input:下面是一个简单的Java代码示例，用于根据用户输入验证文件的规范路径

File file = new File(BASE_DIRECTORY, userInput);
if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {
    // process file
}