Download an overview of unsafe file:
file download function will appear on many web systems, generally when we click on the download link, it will send a download request to the background, this request will usually contain the name of a file to be downloaded, received in the background after the request will begin downloading the code, the file name of the corresponding file response to the browser to complete the download. If the file name backstage after receiving the request, it will download the file directly into the fight in the path of its security without judgment, then it could lead to unsafe file download vulnerability.
At this time, if a program is not expected to submit attacker file name, but a carefully constructed path (such as ../../../etc/passwd), it is likely to be the specified file directly download. Resulting in a sensitive background information (password files, source code, etc.) is downloaded.
Therefore, in the design file download function, if the downloaded file is passed by the goal came in the front, then the file must be passed in safety considerations. Remember: All data and front-end interaction is unsafe and can not be taken lightly!
Unsafe Filedownload (unsafe file download)
Just click on a name to download:
We must be very familiar with this situation, and when the name and click download, in fact, returned the file to bring up the background, and output! The local file contains similar. So we can still change the value of filename to get back to other files, experiment with it!
When the test file download vulnerability, we can modify the parameters with directory traversal way to download other files
192.168.24.140/pikachu-master/vul/unsafedownload/execdownload.php?filename=../down_nba.php
Precautions:
1, incoming filenames strict filtering and limited;
2, the file download directory strictly limited.