Java Web审计中常见的任意文件操作绕过缺陷分析与防御<\/h1>

0x00 前言<\/h2>
在Java Web应用程序中，任意文件操作漏洞允许攻击者通过操纵应用程序访问服务器上的敏感文件。这种漏洞通常源于对用户输入的文件路径参数处理不当。<\/p>

常见文件操作类<\/h3>

审计时应重点关注以下类：<\/p>

InputStream<\/li>
File<\/li>
OutputStream<\/li>
BufferedInputStream<\/li>

FileInputStream<\/li> <\/ul>

参数位置分类<\/h3>

请求参数<\/strong>：较常见，通过request.getParameter获取<\/li>

请求路径<\/strong>：

自定义Servlet实现<\/li>
框架特性（如@PathVariable注解）<\/li> <\/ul> <\/li> <\/ol>
0x01 常见绕过缺陷<\/h2>
1.1 过滤内容不严谨<\/h3>
1.1.1 Windows目录穿越符<\/h4>
当仅过滤..\/<\/code>时，攻击者可能使用：<\/p>
..\<\/code>（Windows反斜杠）<\/li> %5C<\/code>（反斜杠的URL编码）<\/li> <\/ul> 示例漏洞代码：<\/p> public<\/span> static<\/span> boolean<\/span> check<\/span>(<\/span>String filePath)<\/span> {<\/span> <\/span><\/span> if<\/span> (<\/span>StringUtil.<\/span>isBlank<\/span>(<\/span>filePath))<\/span> {<\/span> <\/span><\/span> return<\/span> true<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> StringUtil.<\/span>contains<\/span>(<\/span>filePath,<\/span> "..\/"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>1.1.2 java.net.URL处理特性<\/h4> 利用URL类特性绕过后缀检查：<\/p> URL url =<\/span> new<\/span> URL(<\/span>"file:\/var\/log\/etc\/passwd#.png"<\/span>);<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>url.<\/span>getPath<\/span>());<\/span> \/\/ 忽略#后的内容 <\/span><\/span><\/span><\/code><\/pre>双重URL编码绕过：<\/p> \/\/ 原始路径：..\/..\/etc\/passwd <\/span><\/span><\/span>\/\/ 第一次编码：%2E%2E%2F%2E%2E%2Fetc%2Fpasswd <\/span><\/span><\/span>\/\/ 第二次编码：%252E%252E%252F%252E%252E%252Fetc%252Fpasswd <\/span><\/span><\/span><\/code><\/pre>1.1.3 与其他安全措施冲突<\/h4> 当多个过滤器存在执行顺序问题时：<\/p> @Override<\/span> <\/span><\/span>public<\/span> String getParameter<\/span>(<\/span>String parameter)<\/span> {<\/span> <\/span><\/span> String value =<\/span> super<\/span>.<\/span>getParameter<\/span>(<\/span>parameter);<\/span> <\/span><\/span> if<\/span> (<\/span>value ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> JsoupUtil.<\/span>clean<\/span>(<\/span>cleanAnyFileRead((<\/span>String)<\/span> value));<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>private<\/span> static<\/span> String cleanAnyFileRead<\/span>(<\/span>String value)<\/span> {<\/span> <\/span><\/span> value =<\/span> value.<\/span>replaceAll<\/span>(<\/span>"\\.+\/"<\/span>,<\/span> ""<\/span>);<\/span> <\/span><\/span> return<\/span> value;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>绕过方式：<\/p> ..<script>\/..<script>\/..<script>\/etc\/passwd <\/code><\/pre> 1.2 获取实际访问文件资源方法不当<\/h3> StringUtils.cleanPath问题<\/h4> 该方法对路径规范化的处理不彻底：<\/p> 将\\<\/code>替换为\/<\/code><\/li> 处理.<\/code>（当前目录）和..<\/code>（上级目录）<\/li> 但存在以下问题：当pathArray.length != pathElements.size()<\/code>时，会保留多余的..<\/code><\/li> 多个连续\/<\/code>会被视为"空"目录，影响处理结果<\/li> <\/ul> <\/li> <\/ol> 漏洞示例：<\/p> public<\/span> static<\/span> String readLogFile<\/span>(<\/span>String fileName)<\/span> {<\/span> <\/span><\/span> String fullPath =<\/span> "\/var\/log\/"<\/span> +<\/span> fileName;<\/span> <\/span><\/span> \/\/ 读取文件逻辑... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>绕过方式：<\/p> 直接访问\/etc\/passwd<\/code>： StringUtils.<\/span>cleanPath<\/span>(<\/span>"\/etc\/passwd"<\/span>)<\/span> \/\/ 原样输出 <\/span><\/span><\/span><\/code><\/pre><\/li> 使用足够多的..\/<\/code>： StringUtils.<\/span>cleanPath<\/span>(<\/span>"\/var\/log\/..\/..\/etc\/passwd"<\/span>)<\/span> \/\/ 返回\/etc\/passwd <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x02 防御建议<\/h2> 严格路径校验<\/strong>：<\/p> 使用Path.normalize()<\/code>标准化路径<\/li> 检查规范化后的路径是否在允许范围内<\/li> <\/ul> Path path =<\/span> Paths.<\/span>get<\/span>(<\/span>"\/var\/log"<\/span>,<\/span> fileName).<\/span>normalize<\/span>();<\/span> <\/span><\/span>if<\/span> (!<\/span>path.<\/span>startsWith<\/span>(<\/span>"\/var\/log"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> \/\/ 非法路径 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 多重防御<\/strong>：<\/p> 结合白名单和黑名单<\/li> 对Windows和Linux路径分别处理<\/li> 处理URL编码和双重编码情况<\/li> <\/ul> <\/li> 安全工具类使用<\/strong>：<\/p> 避免单独依赖StringUtils.cleanPath<\/code><\/li> 结合getCanonicalPath()<\/code>检查实际路径<\/li> <\/ul> <\/li> 框架特性利用<\/strong>：<\/p> 参考CVE-2023-34062修复方案<\/li> 使用Path.normalize()<\/code>后检查路径前缀<\/li> <\/ul> <\/li> <\/ol> 0x03 总结<\/h2> Java Web应用中任意文件操作漏洞的防御需要：<\/p> 全面理解各种绕过技术（Windows特性、URL处理、编码问题等）<\/li> 避免单一依赖某个安全函数<\/li> 实施多层防御策略<\/li> 定期审计路径处理逻辑<\/li> 关注框架安全更新和最佳实践<\/li> <\/ol> 通过规范化路径处理、严格边界检查和多层次验证，才能有效防御任意文件操作漏洞。<\/p>

Java Web审计中常见的任意文件操作绕过缺陷分析与防御<\/h1>

0x00 前言<\/h2> 在Java Web应用程序中，任意文件操作漏洞允许攻击者通过操纵应用程序访问服务器上的敏感文件。这种漏洞通常源于对用户输入的文件路径参数处理不当。<\/p>

0x01 常见绕过缺陷<\/h2>

1.1 过滤内容不严谨<\/h3>

1.2 获取实际访问文件资源方法不当<\/h3>

0x00 前言<\/h2>
在Java Web应用程序中，任意文件操作漏洞允许攻击者通过操纵应用程序访问服务器上的敏感文件。这种漏洞通常源于对用户输入的文件路径参数处理不当。<\/p>