🥦 kościelniak.pro

Appearance

On this page
1 linked note

Path Traversal

Path Traversal (aka Directory traversal or dot dot slash attack) is a web security vulnerability allowing an attacker to read operating system resources (e.g local files on the machine serving an application).

The attacker exploits this vulnerability by manipulating and abusing the web application's URL to locate and access files or directories stored outside the application's root directory.

Path traversal vulnerabilities occur when the user's input is passed to a function such as file_get_contents in PHP.

[!tip] file_get_contents is not the main contributor to the vulnerability.

Often poor input validation or filtering is the actual cause.

Example

Let's say we have an endpoint to read file contents:

http://webapp.com/get.php?file=CV.pdf

We can test out the file query param by adding non-obvious payloads to see how the web application behaves:

http://webapp.com/get.php?file=../../../../etc/passwd

If there is no input validation, we might be luchky enough to retrieve files from other directiories. As a result, the web application sends back the file's content to the user.

Example (Windows)

If the application runs on a Windows Server, we need to provide Windows paths, e.g.

http://webapp.com/get.php?file=../../../../boot.ini
http://webapp.com/get.php?file=../../../../Windows/win.ini

Useful files to look for

Linux

  • /etc/issue - contains a message or system identification to be printed before the login prompt.
  • /etc/profile - controls system-wide default variables, such as exports, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
  • /proc/version - specifies the version of the Linux kernel
  • /etc/passwd - has all registered user that has access to a system
  • /etc/shadow - contains information about the system's users' passwords
  • /root/.bash_history - contains the history commands for root user
  • /var/log/dmessage - contains global system messages, including the messages that are logged during system startup
  • /var/mail/root - all emails for root user
  • /root/.ssh/id_rsa - Private ssh keys for a root or any known valid user on the server
  • /var/log/apache2/access.log - the accessed requests for Apache webserver

Windows

  • C:\boot.ini contains the boot options for computers with BIOS firmware

See also