🛠️ Directory traversal

Theory
Directory traversal (or Path traversal) is a vulnerability that allows an individual to read arbitrary files on a web server. Inputs that are not validated by the back-end server may be vulnerable to payloads such as "../../../". Using this method, an attacker can go beyond the root directory of the website, thus reaching arbitrary files hosted on the web server (/etc/passwd, /etc/hosts, c:/boot.ini, etc.).
Notes
Some details are important to know beforehand.
Path separator
As the Owasp mentions, each operating system uses different characters as a path separator.
Unix-like OS:
root directory: "/"
directory separator: "/"
Windows OS' Shell':
root directory: "<drive letter>:\"
directory separator: "\" or "/"
Classic Mac OS:
root directory: "<drive letter>:"
directory separator: ":"
Windows
Files and directories are case-insensitive, so there's no need to try different payloads based on case sensitivity. Also, one has to make sure that the payloads don't use a fixed drive letter ("C:"), but more ("D:", "E:"...).
Directory traversal could lead to Remote Code Execution (RCE).
Practice
Tool
The tool dotdotpwn (Perl) can help in finding and exploiting directory traversal vulnerabilities by fuzzing the web app. However, manual testing is usually more efficient.
# With a request file where /?argument=TRAVERSAL (request file must be in /usr/share/dotdotpwn)
dotdotpwn.pl -m payload -h $RHOST -x $RPORT -p $REQUESTFILE -k "root:" -f /etc/passwd
​
# Generate a wordlist in STDOUT that can be used by other fuzzers (ffuf, gobuster...)
dotdotpwn -m stdout -d 5
Manual testing
Reconnaissance
The first step is to find what kind of system is used (Linux, Windows...). One could do that by checking on which web technology is used (some technologies run on Linux while others run on Windows).
Next, finding the right parameter to inject is essential. Usually, a vulnerable parameter is one that requires a file that will be fetched by the back-end server using a path (form parameters, cookies...).
# Example
http://example.com/getItem.jsp?item=file.html
Then, to construct a payload, it's interesting to have a set of important files to search:
​Linux (PayloadsAllTheThings)​
​Windows (PayloadsAllTheThings)​
Filter bypass
Various filters could be set for a web application (using a Web Application Firewall for example). A set of bypass payloads can be found in PayloadsAllTheThings.
User privilege
​soffensive.com:
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
    c:/documents and settings/administrator/ntuser.ini
    c:/documents and settings/administrator/desktop/desktop.ini
    c:/users/administrator/desktop/desktop.ini
    c:/users/administrator/ntuser.ini
There may be no "administrator" account, you have to guess the right one in that case.
If you can read either of these files, the file reading process has LocalSystemprivileges.
    c:/system volume information/wpsettings.dat
    C:/Windows/CSC/v2.0.6/pq
    C:/Windows/CSC/v2.0.6/sm
    C:/$Recycle.Bin/S-1-5-18/desktop.ini
References
PayloadsAllTheThings/Directory Traversal at master · swisskyrepo/PayloadsAllTheThings
GitHub
Testing Directory traversal/file include (OTG-AUTHZ-001) | Owasp Testing Guide v4
What is directory traversal, and how to prevent it? | Web Security Academy
WebSecAcademy
https://www.soffensive.com/posts/web-app-sec/2018-06-19-exploiting-blind-file-reads-path-traversal-vulnerabilities-on-microsoft-windows-operating-systems/
www.soffensive.com
🛠️ Arbitrary file download
🛠️ Null-byte injection
Last modified 1yr ago