Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)
so, you can read WEB-INF/web.xml. how can you escalate this issue?
[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.
use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.
[step 2]. take a look at WEB-INF/web.xml and try to understand what framework was used.
most Java web applications nowadays are using Spring (https://spring.io/).
if you see in WEB-INF/web.xml some class name with org.springframework (usually DispatcherServlet), it means it's Spring.
for example:
<servlet>
<servlet-name>example</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
if it's Spring, look for the servlet-mapping (servlet-name) section.
for example:
<servlet-mapping>
<servlet-name>golfing</servlet-name>
<url-pattern>/golfing/*</url-pattern>
</servlet-mapping>
in this case, the name of the servlet is "golfing".
according to Spring convention, you will need to have a file called WEB-INF/golfing-servlet.xml in your application.
this file will contain all of your Spring Web MVC-specific components (beans).
try to read this file.
for Spring, also look for WEB-INF/applicationContext.xml
if it's not Spring, it could be Struts (https://struts.apache.org/).
look for something like this
<filter>
<filter-name>struts2</filter-name>
<filter-class>
org.apache.struts2.dispatcher.FilterDispatcher
</filter-class>
</filter>
if it's Struts, look for something like try to read these files
WEB-INF/classes/struts.xml
WEB-INF/classes/default.properties
or
WEB-INF/struts-config.xml
more info here: https://struts.apache.org/core-developers/configuration-files.html
if it's not Spring and not Struts try to read attentively the web.xml file to figure out what framework they could be using and read its docs.
[step 3]. classpath:bla in web.xml
If you find in web.xml a file referenced using classpath:filename such as the following example:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:my-main-spring.xml</param-value>
</context-param>
it means the file is located in class path. class path is usually located in WEB-INF/classes/ or WEB-INF/lib/
this means that you can read the file referenced there (my-main-spring.xml) by reading:
WEB-INF/classes/my-main-spring.xml or
WEB-INF/lib/my-main-spring.xml
[step 4]. look for class names in web.xml and try to read the .class files
in WEB-INF/web.xml and/or the other files you were able to read following steps 1-3 you will find a lot of class names.
class names are referenced like this:
<bean class="com.company.bla.bla.className"> or like this
<filter-class>com.company.bla.bla.className</filter-class>
in any case, the name of the class is "com.company.bla.bla.className"
in Java, this class is stored in this folder + file:
com/company/bla/bla/className.class
classes are usually stored in either WEB-INF/classes/ or WEB-INF/lib/
therefore, you should try to read the class file by reading
WEB-INF/classes/com/company/bla/bla/className.class
or
WEB-INF/lib/com/company/bla/bla/className.class
to download the class files I usually use curl like this:
curl -O --path-as-is https://example.com/path-traversal/../WEB-INF/lib/com/company/bla/bla/className.class
if it works, this will save a file className.class in the current directory.
Sergey Bobrov/BlackFan wrote a tool that helps with this:
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf-dumper.php
if you are able to download the className.class you need to decompile it so you can take a look at Java source code
i use the following 2 tools:
http://java-decompiler.github.io/
https://github.com/skylot/jadx
when you decompile it you get access to more class names (from imports) and then download more source code and so on.
somebody should write a tool to automate this so it will decompile classes, read imports, download more classes, decompile, ...
have fun!
harisec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.