URL redirection
Unsafe url Jump
Jump unsafe url problem may occur in the implementation of all the places url address jump.
If the back-end using the front-entered the (possibly pass user parameters, or embedded in the front page before the url address) parameter as a jump destination, but do not judge if
it is possible to "jump the wrong object." The problem.
url jump more immediate hazards are:
-> Fishing , both attacker use the vulnerability party domain name (for example, a relatively well-known company domain tend to make users be assured of clicks) as a cover, and the final jump indeed phishing sites
This vulnerability is relatively simple, come on, to measure one!
Our experiments begin
See the page, one by one point again.
Found that the fall will jump to point to the overview page, point to the last one will appear. . .
Directly behind the url plus we make phishing sites, users do not pay attention might be taken:
192.168.43.116/pikachu/vul/urlredirect/urlredirect.php?url=https://www.cnblogs.com/escwq/default.html?page=1
../../ directory traversal vulnerability
Overview:
In web design function, the file many times we will want to need to access the defined variables, so that the front end of the function will be more flexible. When a user initiates a request to the front end, this will be the value of the requested file (such as a file name) is transmitted to the background, the background then performing corresponding document. In this process, if the background is not strictly security by value come to the front, an attacker could through the "../" This means to let open in the background or perform some other files. Leading to the results of other file directory on the back-end server is traversed out, forming a directory traversal vulnerability.
See here, you may feel a directory traversal vulnerability and insecurity file downloads, and even files contain loopholes have similar meaning, is the main reason directory traversal vulnerability formed with both, they are in functional design transfer files using a variable manner will be operated to the background, but no rigorous security concerns caused by the appearance of the location just is not the same phenomenon exhibited, therefore, it was still separate out the definition of what.
Need to distinguish between what is, if you pass the url without arguments (for example: http: // xxxx / doc) doc lists all the files inside the folder, this situation, we become sensitive information leakage. While not classified as a directory traversal vulnerability. (Disclosure of sensitive information about you, you can learn about "i can see you ABC" in more)
Start our experiment:
We observed that the source was found, and he did not have any protection.
The url of the current directory deleted, you can create a directory traversal vulnerability, just add the place indicated by the arrow ... / can traverse directories
For example, construction url parameter passed to the background, and then to read sensitive documents: http:? //192.168.43.116/pikachu/vul/dir/dir_list.php title = .. / .. / .. / assets / css / chosen. min.css
Disclosure of sensitive information
Overview:
Back office staff due to negligence or improper design, lead should not be seen in the front-end user data to be easily accessed . For example:
--- by directory access url, it can be listed in the directory list of files directly;
--- url parameter input error after error message which contains the operating system, middleware, development language version or other information;
- - front-end source code (html, css, js) which contains sensitive information, such as background login address, network adapter information, and even passwords and other account;
similar to these circumstances, we become sensitive information leakage. Although the disclosure of sensitive information has been rated relatively low hazard vulnerabilities, but these are often sensitive information to the attacker with the implementation of further attacks provide great help, even "outrageous" the disclosure of sensitive information will also directly cause serious damage. Therefore, in the development of web applications, in addition to the security code to write, but also need to pay attention to proper handling of sensitive information.
Start our experiment:
We observe source code, which has been interpreted to tell us too much
In fact, we can find open source front-end account password
We can also put findabc.php here can be modified to bypass the login abc.php
Modified
