A7 – Directory Traversal – Files (Level: Low/Medium)
Hello cyberman,
The content of this article will be on directory traversal vulnerability for files. It is an old type of vulnerability. However, it is still effective.
What Is The Directory Traversal
Known as the file path, this vulnerability basically allows the attacker to freely read the files on the website.
What Can Be Done With This Vulnerability?
What can be done with this may vary depending on the attacker’s project.
For example: By reading the files, the attacker can make phone calls as if he is the IT employee serving the server and receive risky information such as FTP from the victim.
For example: The attacker can read the files and download a special file that he wants because he sees the paths of the files from the page.
In summary: It may vary according to the attacker’s plan and work.
Directory Traversal Detection
File display areas are looked at on a website.
For example: When displaying a photo, navigate to the image source and use navigation characters (“cd ..”, “../”) on the file path.
Let’s make an example of the vulnerable machine bWAPP designed by the ITSec Group.
Firstly, select to “A7 – Directory Traversal – Files” on bWapp. And than “Try to climb higher Spidy.” note will appear.
A clue has been given to us in the red area in the picture above.
As can be understood from the “directory_traversal_1.php?page=message.txt” written in the URL section, a file is given to a variable named “page”. And the contents of this file are displayed.
Think Different!
If a file is given to a variable, it can be read in another file in the system!
Then there is only one thing that can be done. It will be to learn the server operating system with tools such as “Nikto” and enter the commands to visit its files.
I know this system is “Ubuntu derivative”. Therefore, I will enter “../../etc/passwd” as a command.
The file path is entered as in the picture above. (See the red area.)
When I entered the new value in the variable (page) from which the file was taken, it reported that the file could not be found.
I will try again.
I think the “passwd” file could be two more folders up. And I entered the value “../../../../etc/passwd”.
Bingo! I found.
In the picture above, the output of the value entered in the red field is seen in the black field.
If I had inserted a malicious PHP file into the system and wanted to open a backdoor with a reverse shell, I could have navigated the system and tried to find its way.
Let’s Make the Difficulty Level Medium
Now let’s try again, same entry.
But this time the system detected it and blocked it.
For this reason, I tried as follows:
“../etc/passwd”
“../../etc/passwd”
“../../../etc/passwd”
When I tried the above, the system detected it and blocked it.
“./etc/passwd”
“./././etc/passwd”
When I use single dot as above, “File Not Found.” he reported.
And “Directroty traversal deteceted!” He said he perceived it as I tried by URL Encoding.
“..%2F..%2F..%2F..%2Fetc%2Fpasswd”
But he still perceived it.
Instead of trying one by one like this, I used the ready-made tool called “DotDotPwn“.
When I entered the command, it discovered a lot of vulnerabilities, after waiting for a while, I saw that it gave the output when “/etc/passwd” was entered.
Try again…
And we found…
In summary, vulnerability discovery can be made with the “DotDotPwn” tool.
Example usage: “dotdotpwn -h [web_address] -m [http_or_https]
Its basic usage is like this. It has a wide variety of settings.
For example: Automatic detection of operating system.
You can send the GET method like BurpSuite from various side tools and try a ready list like the examples above and check the outputs.
This vulnerability may be old, but 6 years ago, it was useful for downloading people’s pictures on Instagram. Even though it’s a private account!
Have a nice day with lots of informatics 🙂