π οΈ Directory traversal β
Theory β
Directory traversal (or Path traversal) is a vulnerability that allows an individual to read arbitrary files on a web server. Inputs that are not validated by the back-end server may be vulnerable to payloads such as "../../../". Using this method, an attacker can go beyond the root directory of the website, thus reaching arbitrary files hosted on the web server (/etc/passwd
, /etc/hosts
, c:/boot.ini
, etc.).
Notes β
Some details are important to know beforehand.
Path separator β
As the Owasp mentions, each operating system uses different characters as a path separator.
Unix-like OS:
root directory: "/"
directory separator: "/"
Windows OS' Shell':
root directory: "<drive letter>:\"
directory separator: "\" or "/"
Classic Mac OS:
root directory: "<drive letter>:"
directory separator: ":"
Windows β
Files and directories are case-insensitive, so there's no need to try different payloads based on case sensitivity. Also, one has to make sure that the payloads don't use a fixed drive letter ("C:"), but more ("D:", "E:"...).
Directory traversal could lead to Remote Code Execution (RCE).
Practice β
Tool β
The tool dotdotpwn (Perl) can help in finding and exploiting directory traversal vulnerabilities by fuzzing the web app. However, manual testing is usually more efficient.
# With a request file where /?argument=TRAVERSAL (request file must be in /usr/share/dotdotpwn)
dotdotpwn.pl -m payload -h $RHOST -x $RPORT -p $REQUESTFILE -k "root:" -f /etc/passwd
β
# Generate a wordlist in STDOUT that can be used by other fuzzers (ffuf, gobuster...)
dotdotpwn -m stdout -d 5
Manual testing β
Reconnaissance β
The first step is to find what kind of system is used (Linux, Windows...). One could do that by checking on which web technology is used (some technologies run on Linux while others run on Windows).
Next, finding the right parameter to inject is essential. Usually, a vulnerable parameter is one that requires a file that will be fetched by the back-end server using a path (form parameters, cookies...).
# Example
http://example.com/getItem.jsp?item=file.html
Then, to construct a payload, it's interesting to have a set of important files to search:
Filter bypass β
Various filters could be set for a web application (using a Web Application Firewall for example). A set of bypass payloads can be found in PayloadsAllTheThings.
User privilege β
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
c:/documents and settings/administrator/ntuser.ini
c:/documents and settings/administrator/desktop/desktop.ini
c:/users/administrator/desktop/desktop.ini
c:/users/administrator/ntuser.ini
There may be no "administrator" account, you have to guess the right one in that case.
If you can read either of these files, the file reading process has
LocalSystem
privileges.
c:/system volume information/wpsettings.dat
C:/Windows/CSC/v2.0.6/pq
C:/Windows/CSC/v2.0.6/sm
C:/$Recycle.Bin/S-1-5-18/desktop.ini
Resources β
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal