Posts
Path Traversal Vulnerability?
Also known as Directory traversal,
a web security vulnerability allows an attacker to read operating
system resources, such as local files on the server running an
application. The attacker exploits this vulnerability by manipulating
and abusing the web application's URL to locate and access files or
directories stored outside the application's root directory. We can
test out the URL parameter by adding payloads to see how the web
application behaves. Path traversal attacks, also known as the dot-dot-slash attack, take advantage of moving the directory one step up using the double dots ../. If the attacker finds the entry point, which in this case get.php?file=, then the attacker may send something as follows, http://webapp.thm/get.php?file=../../../../etc/passwd Suppose there isn't input validation, and instead of accessing the PDF files at /var/www/app/CVs location, the web application retrieves files from other directories, which in this case /etc/passwd. Each .. entry moves one directory until it reaches the root directory /. Then it changes the directory to /etc, and from there, it read the passwd file. As a result, the web application sends back the file's content to the user. Similarly,
if the web application runs on a Windows server, the attacker needs to
provide Windows paths. For example, if the attacker wants to read the boot.ini file located in c:\boot.ini, then the attacker can try the following depending on the target OS version: http://webapp.thm/get.php?file=../../../../boot.ini or http://webapp.thm/get.php?file=../../../../windows/win.ini The same concept applies here as with Linux operating systems, where we climb up directories until it reaches the root directory, which is usually c:\. Sometimes, developers will add filters to limit access to only certain files or directories. Below are some common OS files you could use when testing. /etc/issue /etc/profile controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived /proc/version /etc/passwd /etc/shadow /root/.bash_history contains the history commands for root user /var/log/dmessage /var/mail/root all emails for root user /root/.ssh/id_rsa /var/log/apache2/access.log the accessed requests for Apache webserver C:\boot.ini
Path traversal vulnerabilities occur when the user's input is passed to a function such as file_get_contents in PHP.
It's important to note that the function is not the main contributor to
the vulnerability. Often poor input validation or filtering is the
cause of the vulnerability
In PHP, you can use the file_get_contents to read the content of a file. You can find more information about the function here.
Location Description contains a message or system identification to be printed before the login prompt. specifies the version of the Linux kernel has all registered user that has access to a system contains information about the system's users' passwords contains global system messages, including the messages that are logged during system startup Private SSH keys for a root or any known valid user on the server contains the boot options for computers with BIOS firmware
