Directory Traversal
Absolute and Relative path
How to exploit
By pass using encoding
Absolute and Relative Paths
Absolute Path
Full file system file path
stat with a forward slash (/) specifying the root file system . E.g.;
Can check with
pwdcommand
Relative path
use ../../../ to go some directory relative to current path
Payload for Directory Traversal
use
/../../../../../../../A lot of
../end in/directory, So you can use a lot of../if you know how many level need to reach to/
Identifying and Exploiting Directory Traversals
In Linux systems, the
/var/www/html/directory is often used as the web root. When a web application displays a page, http://example.com/file.html for example, it will try to access/var/www/html/file.htmlhttp link doesn’t contain any part of the path except the filename because the web root also serves as a base directory for a web server.
If a web application is vulnerable to directory traversal, a user may access files outside of the web root by using relative paths, thus accessing sensitive files like SSH private keys or configuration files.
We should always check for vulnerabilities by
hovering over all buttons, checking all links, navigating to all accessible pages, and (if possible) examining the page’s source code.Sometime it need to use absolute path to perform Directory Traversal attack
Example:
How to get initial access using directory traversal
Directory traversal are mostly use for
gathering informationIf we can access certain file containing sensitive information, it may lead to system access
SSH Key file (
/home/user/.ssh/id_rsa)password file
Use Burp or cURL or other programming language is prefer to retrieve private key:
Use this ssh key and login using ssh to get initial access:
In Window Server
Use the following to check directory traversal
C:\Windows\System32\drivers\etc\hosts
In general, it is more difficult to leverage a directory traversal vulnerability for system access on Windows than Linux
Additionally, sensitive files are often
not easily found on Windowswithout being able to list the contents of directories. This means to identify files containing sensitive information, we need to closely examine the web application and collect information about the web server, framework, and programming language.Reviewing the Microsoft documentation,390 we learn that the logs are located at C:\inetpub\logs\LogFiles\W3SVC1. Another file we should always check when the target is running an IIS web server is C:\inetpub\wwwroot\web.config, which may contain sensitive information like passwords or usernames.
Bypass Technique for Directory Traversal
1. Bypassing Filter using `URL Encoding`
encode the dots, which are represented as
%2e.
2. Absolute path bypass
Type absolute path instead of relation path to bypass
3. Bypass nested traversal sequences such as `....//'
If the filter is stripped non-recursive, we can bypass using nested traversal payload
....//
4. Bypass using double encoding
5. Bypass using validation of start of path
/var/www/image/is used to valid our payload
6. Bypass validation of file extension with null byte
sometime the application not permit query without expected file extension
It might be possible to use a null bytes to effectively terminate the file path before the required extension
NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above.
7. Bypass by changing request method
intercept the request with burp suite and change request method
Last updated