[題目]
The purpose of this challenge is to demonstrate the MITRE Top 25 programming flaw: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')".
The developers of Insecure Inc. have recently implemented a privacy page. They usually get a html file that gets edited by the compliance analyst and they place it in the public folder of the web application. Then when the user accesses the privacy link they load the file and show it to the user.
Unrelated to this they have also recently created a servlet that connects to an external feed service. They store the password in a properties file. They pass the location of the properties file to the servlet through an initialization parameter defined in WebContent/WEB-INF/web.xml
Your task is to get the password stored in the configuration file.
Here is the application code. See if you can spot the problem.
Tip: Path traversal is also known as a "dot dot slash attack".
String file = request.getParameter("file");
String successMessage = "";
if(file!=null){
file = "public/"+file;
InputStream input = null;
BufferedReader reader = null;
StringBuilder sb = new StringBuilder();
try {
input = getServletContext().getResourceAsStream(file);
reader = new BufferedReader(new InputStreamReader(input,"UTF-8"));
String line = reader.readLine();
while (line != null) {
sb.append(line);
sb.append("\n");
line = reader.readLine();
}
}
catch(Exception ex){
contents = ex.getMessage();
} finally {
if(reader!=null) reader.close();
}
contents = sb.toString();
|
[題目說明]
這一題是應用程式把儲存帳號密碼的config properties 檔案放置在使用者容易用 dot dot slash 方式猜測並找到的地方,以JSP為例,開發者把privacy內容放在/WebContent/Public/底下,把config檔放在/WebContent/WEB-INF/底下,使用者只要找到引用privacy檔案的方式,再透過dot dot slash手法跳到WEB-INF底下把目標檔案秀在頁面上就可看到網頁帳號密碼資訊。
[弱點提示]
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
From MITRE CWE22
Web Application參考檔案時讓hacker發現敏感檔案可能的位置而透過dot dot slash 尋找該敏感檔案使web Application將敏感資訊秀在網頁上,該漏洞在於網頁參考檔案的方式是使用者可輸入改變的字串值指定,若未對使用者輸入做特殊處理把關,使用者便可透過 dot dot slash攻擊駭進敏感檔案。
[解答]
- 進入網頁: https://abc.xxx.elasticbeanstalk.com/cwe22.jsp
- 點擊Privacy Policy 連結,網頁將參考到public下的 privacy.html 檔案並把內容秀在網頁上:
- 觀察網址。
- 發現網頁透過參數file指定到某一個檔案位置,同時透過程式碼我們知道 檔案 privacy.html是在WebContent/public底下,我們可以猜測能將jsp 頁面重要內容列出的WebContent/WEB-INF/web.xml 檔可以用 file = ../WEB-INF/web.xml 參考到,於是把url改成如下並進入:
https://abc.xxx.elasticbeanstalk.com/cwe22.jsp?file=../WEB-INF/web.xml
- 此時頁面秀出部分重要的web.xml內容: insecureinc index.html index.htm index.jsp default.html default.htm default.jsp CWE22 insecure.inc.Cwe22Servlet passwordFile WEB-INF/config.properties . 這些內容都是可以參考的檔案,而儲存敏感帳密資訊的檔案(config.properties)便在其中,只要再改變url參考到該檔案即可秀出帳密資訊在網頁上。
- 輸入url 並且進入 : https://abc.xxx..elasticbeanstalk.com/cwe22.jsp?file=../WEB-INF/config.properties 即可過關。
[安全原理]
dot dot slash 攻擊是利用目錄跳層的方式轉換目錄去參考其他目錄底下檔案的方式,若url提供該漏洞讓hacker 可以任意瀏覽檔案內容便可能洩漏重要的敏感資訊,因此應該限制user輸入的內容,防止該漏洞攻擊。
2019年2月23日星期六
留言列表