Overview of unsafe file downloads
File download function in many web will appear on the system, usually when we click on the download link, it will send a download request to the background, this request will usually contain the name of a file to be downloaded, backstage after receiving the request will begin to download the code , the file name of the corresponding file response to the browser to complete the download. If the file name backstage after receiving the request , the file download directly into the fight in the path of its security without judgment, then could lead to unsafe file download vulnerability.
At this point, if not a program submitted by the attacker is expected to file name, but a carefully constructed path ( such as ../../../etc/passwd), it is likely to be the specified file directly download. Resulting in a sensitive background information ( password files, source code, etc. ) is downloaded.
Therefore, in the design file download function, if the downloaded file is passed by the goal came in the front, then the file must be passed in safety considerations. Remember: All data and front-end interaction is unsafe and can not be taken lightly!
1. Ethereal View,
2. Since directly by filename to read the file, then constructed directly payload , view the parent directory of files,
3. The down_nba.php download the file down,
