Difference between revisions of "Kali Linux: Web Directory Traversal Vulnerability"
Onnowpurbo (talk | contribs) (Created page with "A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters repres...") |
Onnowpurbo (talk | contribs) |
||
Line 34: | Line 34: | ||
However, in more recent Unix systems, the passwd file does not contain the hashed passwords. They are, instead, located in the shadow file which cannot be read by unprivileged users on the machine. It is however, still useful for account enumeration on the machine, as it still displays the user accounts on the system. | However, in more recent Unix systems, the passwd file does not contain the hashed passwords. They are, instead, located in the shadow file which cannot be read by unprivileged users on the machine. It is however, still useful for account enumeration on the machine, as it still displays the user accounts on the system. | ||
+ | |||
+ | |||
+ | ==Lebih Parah Lagi== | ||
+ | |||
+ | sudo su | ||
+ | chmod 644 /etc/passwd |
Revision as of 10:39, 1 June 2018
A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing "traverse to parent directory" are passed through to the file APIs.
The goal of this attack is to use an affected application to gain unauthorized access to the file system. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.
Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.
A typical example of vulnerable application in PHP code is:
<?php $template = 'red.php'; if (isset($_COOKIE['TEMPLATE'])) $template = $_COOKIE['TEMPLATE']; include ("/home/users/phpguru/templates/" . $template); ?>
An attack against this system could be to send the following HTTP request:
GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Generating a server response such as:
HTTP/1.0 200 OK Content-Type: text/html Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
The repeated ../ characters after /home/users/phpguru/templates/ has caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd.
Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.
However, in more recent Unix systems, the passwd file does not contain the hashed passwords. They are, instead, located in the shadow file which cannot be read by unprivileged users on the machine. It is however, still useful for account enumeration on the machine, as it still displays the user accounts on the system.
Lebih Parah Lagi
sudo su chmod 644 /etc/passwd