The file download function will appear on many Web systems. Generally, when we click the download link, we will send a download request to the background. Generally, this request will contain the name of the file to be downloaded. The background will start to execute the download code after receiving the request. , The file response corresponding to the file name is sent to the browser, and the download is completed. If after receiving the requested file name, the background will directly spell it into the path of the downloaded file without making a security judgment, it may cause an unsafe file download vulnerability.
At this time, if the attacker submits not a file name expected by a program, but a carefully constructed path (such as ../../../etc/passwd), it is likely that the specified file will be directly used. Download it. As a result, background sensitive information (password files, source code, etc.) is downloaded.
From the introduction on the platform, the principle of this vulnerability is relatively simple. Let's test it:
From the source code on the page, the code to execute the download is: execdownload.php? Filename = rayal.png
Here we construct such code to download the source code in the website, enter:
http: //localhost/pikachu/vul/unsafedownload/execdownload.php? Filename = .. / down_nba.php
So that we can get some sensitive information on the website.
Finally, let's take a look at the source code in execdownload.php: there are
no restrictions.