Error message here!

Hide Error message here!

忘记密码?

Error message here!

请输入正确邮箱

Hide Error message here!

密码丢失?请输入您的电子邮件地址。您将收到一个重设密码链接。

Error message here!

返回登录

Close

Analysis and Discussion on interface URL construction of arbitrary file download vulnerability

Mirror Wang Yuyang 2021-01-13 16:24:06 阅读数:21 评论数:0 点赞数:0 收藏数:0

File download interface URL Structural analysis and discussion

The file download interface of a college

http://www.****.edu.cn/item/filedown.asp?id=76749&Ext=rar&fname=filedown.rar

Parametric analysis :

  • id Resources id
  • Ext File download format of resources
  • fname The name of the downloaded file

Logic principle :

Send parameters to filedown.asp,asp File receiving parameters id And query from the database for ID Resources URL Address , And download ; according to ext Format to download and return , according to fname Name the file returned from the download .


Some association file download interface

http://www.****.org.cn/content/download.do?filename=test.doc&url=group1/M00/05/38/Cj0BE16hNJKAIuAEAAFkAF_b3No247.doc

Parametric analysis :

  • filename The name of the downloaded file
  • url Download path of file

Through the label analysis of the page , We found downloadfile() function , We call this function , We successfully downloaded the function , Let's make a comprehensive analysis of URL Address :

http://www.****.org.cn/content/download.do?filename=test.doc&url=group1/M00/05/38/Cj0BE16hNJKAIuAEAAFkAF_b3No247.doc

filename The name of the downloaded file

url Download path of file

The analysis shows that group1/M00/05/38/Cj0BE16hNJKAIuAEAAFkAF_b3No247.doc Is one of the “ relative ” route , But we don't know the whole path , So we tested :

http://www.****.org.cn/group1/M00/05/38/Cj0BE16hNJKAIuAEAAFkAF_b3No247.doc

The result is unsatisfactory .

According to the habit of development , Usually, this kind of file resources will be put in the same path , So we went to find the file resources of the site ( such as : voice 、 picture 、 video ); Sure enough , Found an address like this :

http://118.***.**.***:80/group1/M00/07/15/Cj0BE18NZcyAAI-uAAEGa1djidw254.jpg

Take a closer look with us before DOC The path to the file is roughly the same , So we “ Hands on ” Well :

http://118.***.**.***:80/group1/M00/05/38/Cj0BE16hNJKAIuAEAAFkAF_b3No247.doc

success , We have now located the file , The next step is the construction step by step POC:

http://118.***.**.***:80/../../../../../../../../../../etc/passwd

Payload:

url=../../../../../../../etc/passwd

Without further investigation and discussion, if there is a breakthrough , That's all for my analysis ; But careful people have found that , The server and website where the file resources are stored are not in the same machine , in other words , our " Download any file " It doesn't harm the website directly , It's also an effective preventive measure .( The breakthrough failed )


A foundation file download interface URL And data packets

http://www.****.org.cn//downlog/insert

ninfor.js

POST //downlog/insert HTTP/1.1
Host: www.****.org.cn
Content-Length: 187
Cache-Control: max-age=0
Origin: http://www.****.org.cn
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 Edg/87.0.664.75
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.****.org.cn/front/download/list/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: JSESSIONID=70C46A039204087FEA92625A1FBBBA22; tq_current_visit_time=1610441247471; tracqinfo={r$"241470177168012"#ct$1#tt$0#lv$"2021-1-12^2C16^3A47^3A28"#lt$""#pu$""#cn$""#ib$0#bt$0#lb$1610441248270#ci$""#cr$""#pt$""}
Connection: close
url=http://www.****.org.cn/front/download/list/1&id=60&type=7&typename=1&contype=2&title=5-******

analysis post The data of , You can find ,id Parameter is the key parameter of index file .


The file download section of a law firm's website URL

This is the way most websites download files , This is through <a href="****"/> To download files in a directory , This method is an effective method of the lowest technical level , Yes, of course , In Xin'an test , In order to place directory data, it is traversed effectively , Will require all uploaded files to be renamed and saved .

This kind of file download URL structure , beyond count .


And some like “ hide-and-seek ” File download URL:


Conclusion

Download the above file URL structure , That's what I've been digging in the near future “ Download any file ” A common way to construct a type of vulnerability ; Generally speaking , This kind of URL The construction is similar to “<a/>” label , They all have a relatively difficult method ; For use id Parameter values for file download , It's often the use of “SQL Inject ” To make a breakthrough , But this is not “ Download any file ” 了 , I think with id As the only way to download the index file URL, It's impossible to construct files that are not included in the download schedule ; Of course, it's most likely that “ Download any file ” Loopholes URL Namely “ Some association file download interface ” The kind of URL, It's through us passing a path To download the path Files pointed to , The objects in this article , It uses different servers , You can't break through the website by downloading any files , besides , Others use “ The third party ” Depositing resources , Unfortunately, when I wrote this article , Browsing a lot of websites and not finding the relevant .

Discuss

2021/01/13

Personally think that , All the files I've encountered so far are downloaded URL structure , It's all through three categories :

  • Use it directly a The tag points to the resource path location , Such kind URL It is extremely difficult to form any file to download .

  • The back end uses the database ID Index method , every last ID Point to a resource path, Execute... On the back end path Access and download , Minimize unexpected resources paht And malice URL Appearance , But at the same time, writing needs to be strengthened SQL Anti Injection .

  • Download to file download The interface passes a "URL/Path", Interface to the address of the file resources to initiate download and return to the current location ; This kind of way is the most likely to happen “ Download any file ” Dangerous , So it is not recommended to use this kind of .

Copyright statement
In this paper,the author:[Mirror Wang Yuyang],Reprint please bring the original link, thank you