Directory Traversal 的安全威脅與防護
這篇文章主要講解 Directory Traversal 的威脅
與每一種程式語言的安全防護方式
Directory Traversal 弱點網站範例
這些範例都有些共同的特徵, 就是用檔名來存取特定網頁
因此駭客就可以嘗試輸入不同的檔名或是改變檔案路徑來存取其他網站伺服器上的資源
[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”%0Ahttp%3A%2F%2Fexample.com.br%2Fget-files.jsp%3Ffile%3Dreport.pdf%0A%0Ahttp%3A%2F%2Fexample.com.br%2Fget-page.php%3Fhome%3Daaa.html%0A%0Ahttp%3A%2F%2Fexample.com.br%2Fsome-page.asp%3Fpage%3Dindex.html%0A”/]
Directory Traversal 攻擊範例1
[pastacode lang=”markup” message=”” highlight=”” provider=”manual” manual=”%0Ahttp%3A%2F%2Fexample.com.br%2Fget-files%3Ffile%3D..%2F..%2F..%2F..%2Fsomedir%2Fsomefile%0A%0Ahttp%3A%2F%2Fexample.com.br%2F..%2F..%2F..%2F..%2Fetc%2Fshadow%0A%0Ahttp%3A%2F%2Fexample.com.br%2Fget-files%3Ffile%3D..%2F..%2F..%2F..%2Fetc%2Fpasswd”/]
Directory Traversal 攻擊範例2
下列這些範例都是透過路徑的修改, 來達到存取其他檔案資源
| CWE-24: Path Traversal: ‘../filedir’ CWE-25: Path Traversal: ‘/../filedir’ CWE-26: Path Traversal: ‘/dir/../filename’ CWE-27: Path Traversal: ‘dir/../../filename’ CWE-28: Path Traversal: ‘..\filedir’ CWE-29: Path Traversal: ‘\..\filename’ CWE-30: Path Traversal: ‘\dir\..\filename’ CWE-31: Path Traversal: ‘dir\..\..\filename’ CWE-32: Path Traversal: ‘…’ (Triple Dot) CWE-33: Path Traversal: ‘….’ (Multiple Dot) CWE-34: Path Traversal: ‘….//’ CWE-35: Path Traversal: ‘…/…//’ CWE-36: Absolute Path Traversal CWE-37: Path Traversal: ‘/absolute/pathname/here’ CWE-38: Path Traversal: ‘\absolute\pathname\here’ CWE-39: Path Traversal: ‘C:dirname’ CWE-40: Path Traversal: ‘\\UNC\share\name\’ (Windows UNC Share) CWE-41: Improper Resolution of Path Equivalence CWE-42: Path Equivalence: ‘filename.’ (Trailing Dot) CWE-43: Path Equivalence: ‘filename….’ (Multiple Trailing Dot) CWE-44: Path Equivalence: ‘file.name’ (Internal Dot) CWE-45: Path Equivalence: ‘file…name’ (Multiple Internal Dot) CWE-46: Path Equivalence: ‘filename ‘ (Trailing Space) CWE-47: Path Equivalence: ‘ filename’ (Leading Space) CWE-48: Path Equivalence: ‘file name’ (Internal Whitespace) CWE-49: Path Equivalence: ‘filename/’ (Trailing Slash) CWE-50: Path Equivalence: ‘//multiple/leading/slash’ CWE-51: Path Equivalence: ‘/multiple//internal/slash’ CWE-52: Path Equivalence: ‘/multiple/trailing/slash//’ CWE-53: Path Equivalence: ‘\multiple\\internal\backslash’ CWE-54: Path Equivalence: ‘filedir\’ (Trailing Backslash) CWE-55: Path Equivalence: ‘/./’ (Single Dot Directory) CWE-56: Path Equivalence: ‘filedir*’ (Wildcard) |
程式語言防護方式
因此, 要對於使用者輸入的路徑與檔案名稱加以驗證與限制
每一種程式語言都提供 API 可以對於路徑加以過濾, 就可以簡單地透過這些方法
將路徑做合法性的過濾, 列舉如下:
- realpath() in C
- getCanonicalPath() in Java
- GetFullPath() in ASP.NET
- realpath() or abs_path() in Perl
- realpath() in PHP