quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)
so, you can read WEB-INF/web.xml. how can you escalate this issue? | |
[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml. | |
use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan): | |
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt | |
with time you can build your own wordlist adding files you've discovered over time. | |
use Burp Intruder for this, it's perfect for this job. | |
sort Intruder results by status code so you can see instantly which files were found. | |
[step 2]. take a look at WEB-INF/web.xml and try to understand what framework was used. | |
most Java web applications nowadays are using Spring (https://spring.io/). | |
if you see in WEB-INF/web.xml some class name with org.springframework (usually DispatcherServlet), it means it's Spring. | |
for example: | |
<servlet> | |
<servlet-name>example</servlet-name> | |
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> | |
if it's Spring, look for the servlet-mapping (servlet-name) section. | |
for example: | |
<servlet-mapping> | |
<servlet-name>golfing</servlet-name> | |
<url-pattern>/golfing/*</url-pattern> | |
</servlet-mapping> | |
in this case, the name of the servlet is "golfing". | |
according to Spring convention, you will need to have a file called WEB-INF/golfing-servlet.xml in your application. | |
this file will contain all of your Spring Web MVC-specific components (beans). | |
try to read this file. | |
for Spring, also look for WEB-INF/applicationContext.xml | |
if it's not Spring, it could be Struts (https://struts.apache.org/). | |
look for something like this | |
<filter> | |
<filter-name>struts2</filter-name> | |
<filter-class> | |
org.apache.struts2.dispatcher.FilterDispatcher | |
</filter-class> | |
</filter> | |
if it's Struts, look for something like try to read these files | |
WEB-INF/classes/struts.xml | |
WEB-INF/classes/default.properties | |
or | |
WEB-INF/struts-config.xml | |
more info here: https://struts.apache.org/core-developers/configuration-files.html | |
if it's not Spring and not Struts try to read attentively the web.xml file to figure out what framework they could be using and read its docs. | |
[step 3]. classpath:bla in web.xml | |
If you find in web.xml a file referenced using classpath:filename such as the following example: | |
<context-param> | |
<param-name>contextConfigLocation</param-name> | |
<param-value>classpath:my-main-spring.xml</param-value> | |
</context-param> | |
it means the file is located in class path. class path is usually located in WEB-INF/classes/ or WEB-INF/lib/ | |
this means that you can read the file referenced there (my-main-spring.xml) by reading: | |
WEB-INF/classes/my-main-spring.xml or | |
WEB-INF/lib/my-main-spring.xml | |
[step 4]. look for class names in web.xml and try to read the .class files | |
in WEB-INF/web.xml and/or the other files you were able to read following steps 1-3 you will find a lot of class names. | |
class names are referenced like this: | |
<bean class="com.company.bla.bla.className"> or like this | |
<filter-class>com.company.bla.bla.className</filter-class> | |
in any case, the name of the class is "com.company.bla.bla.className" | |
in Java, this class is stored in this folder + file: | |
com/company/bla/bla/className.class | |
classes are usually stored in either WEB-INF/classes/ or WEB-INF/lib/ | |
therefore, you should try to read the class file by reading | |
WEB-INF/classes/com/company/bla/bla/className.class | |
or | |
WEB-INF/lib/com/company/bla/bla/className.class | |
to download the class files I usually use curl like this: | |
curl -O --path-as-is https://example.com/path-traversal/../WEB-INF/lib/com/company/bla/bla/className.class | |
if it works, this will save a file className.class in the current directory. | |
Sergey Bobrov/BlackFan wrote a tool that helps with this: | |
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf-dumper.php | |
if you are able to download the className.class you need to decompile it so you can take a look at Java source code | |
i use the following 2 tools: | |
http://java-decompiler.github.io/ | |
https://github.com/skylot/jadx | |
when you decompile it you get access to more class names (from imports) and then download more source code and so on. | |
somebody should write a tool to automate this so it will decompile classes, read imports, download more classes, decompile, ... | |
have fun! | |
harisec |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment