The file download function will appear on many web systems. Generally, when we click the download link, a download request will be sent to the background. Generally, this request will contain a file name to be downloaded. After receiving the request, the background will start to execute the download code. , and send the file response corresponding to the file name to the browser to complete the download. If the background receives the requested file name and directly spells it into the path of the downloaded file without performing a security judgment on it, it may cause an unsafe file download vulnerability.
At this time, if the attacker submits not a program's expected file name, but a carefully constructed path (for example ../../../etc/passwd), it is very likely that the specified file will be downloaded directly. As a result, background sensitive information (password files, source code, etc.) is downloaded.
Therefore, when designing the file download function, if the downloaded target file is passed in by the front end, security considerations must be taken for the incoming file.
Remember: All data that interacts with the front end is not safe and should not be taken lightly!
Click any picture to connect, download, view the download link of the picture, and analyze it
http://192.168.80.139/pikachu/vul/unsafedownload/execdownload.php?filename=ai.png
You can directly modify ?filename=the following value
You can use ../../../../../../etc/passwdthe method of directory traversal ( ) to jump to the root directory, and then use the root directory as the starting point to do related reading, that is, to complete the attack purpose