قالب وردپرس درنا توس
Home / Tips and Tricks / How to Perform Directory Traversal and Extract Sensitive Information «Null Byte :: WonderHowTo

How to Perform Directory Traversal and Extract Sensitive Information «Null Byte :: WonderHowTo



With all the web applications available today on the Internet, and especially novice-created and configured ones, vulnerabilities are easy to find. Some are more dangerous than others, but the consequences of even the slightest injury can be enormous in the hands of an experienced hacker. Directory Traversal is a relatively simple attack, but can be used to make sensitive information available on a server.

In addition to HTML and CSS, modern web applications and web servers usually contain a whole range of information, including scripts, images and templates, and configuration files. A web server usually restricts the user to accessing something higher than the root or web document root on the server's file system by using authentication methods such as ACLs.

Directory overflow attacks occur when misconfigurations exist Provides access to directories above the root directory so that an attacker can view or modify system files. This type of attack is also referred to as Path Traversal, Directory Climbing, Backtracking, or Dot-Dot Slash (./) due to the characters used.

Climbing the Directory

Vulnerabilities in the Directory Traversal can be found by testing HTTP requests, forms and cookies, but the easiest way to see if an application is vulnerable to this type of attack is to simply determine if a URL uses a GET query. A GET request contains the parameters directly in the URL and would look something like this:

  http://examplesite.com/?file=index.php 

It takes a bit of guessing, but sometimes sensitive information can be as well be exposed by climbing the directory. The command cd is used to change directories, and when used with two dots ( cd .. ) it switches to the parent directory or a directory above the current directory ,

By appending ../ directly to the file path in the URL, we can try switching to higher directories to view system files and information that is not connected to the Internet. We can start by trying to go up a few levels to access / etc / passwd, but we can see that this causes some errors:

We finally have paydirt and the contents of / etc / passwd are displayed directly in the browser:

The file / etc / passwd contains information about users on the system, B. usernames, identifiers , Home directories, and password information (though this is usually set to x or * because the actual password information is usually stored elsewhere).

Other interesting files are z. etc / group file that contains information about the groups to which users belong:

The / etc / profile file that defines umask and default variables for users :

The / etc / issue file containing system information or a message displayed at login:

The / proc / version file listing the Linux kernel version used:

The / proc / cpuinfo file that contains CPU and processor information :

And the / proc / self / environ file, which contains information about current Threa ds and certain environment variables include:

Similarly with Directory Traversal on other operating systems, but there are minor differences involved. For example, Windows uses the backslash as the directory separator, and the root directory is a drive letter (often C: ). Windows has several important files to look for:

  • C: Windows Repair System
  • C: Windows Repair SAM
  • C: Windows win.ini
  • C: boot. ini
  • C: Windows system32 config AppEvent.Evt

Of course, there are many more files that could make interesting things. So, when accessing the system level, it would make sense to output it (19659004) Encoding and circumventing file restrictions

In certain situations, such as when a Web application filters special characters, the encoding bypasses input validation for a successful attack. We have seen that this has been used in other attacks such as SQL injection, but the same kind of techniques can be applied to the directory traversal here as well.

The Two Main Encryption Methods Normally Used Are URL Encoding and Unicode Encoding On Unix systems that would normally use slashes, the URL encoding for the string ../ would be like one of these look like:

% 2e% 2e% 2f
% 2e% 2e /
..% 2f 

Unicode encoding for the same string:

  ..% c0% af 

On Windows systems that typically use backslashes, the URL encoding would be .. look like:

% 2e% 2e% 5c
% 2e% 2e 
..% 5c 

Unicode encoding for the same sequence:

  ..% c1% 9c 

Often, an application will only display a specific file type, regardless of whether it is a page explicitly specified in [19459013endet] .php or a PDF document. We can work around this by appending a NULL byte to the request to terminate the file name and work around this limitation, as follows:

  http://examplesite.com/?file=topsecret.pdf%00 [19659043] Preventing Directory Traversal 

While Directory Traversal can be a devastating attack on an administrator, fortunately, it's relatively easy to protect against. Most important is to use appropriate access control lists and make sure the right file privileges are set up. Unless absolutely necessary, avoid storing sensitive information or configuration files in the root of the Web document. If nothing is important to the server in the beginning, the impact of an attack is greatly reduced.

As with most other web-based configurations, another important step is ensuring that proper input validation is used. If this can be avoided, it is best to avoid completely user input when dealing with file system operations. The positive list can be used as an additional measure to minimize the risk of an attacker exploiting misconfigurations.

One more thing that can be done (especially if an administrator wants to go beyond the duty). is actually to test if their application is vulnerable to Directory Traversal. It's easy enough to try these procedures manually, but there are tools that can easily automate most tests like DirBuster, ZAP, and DotDotPwn.

Wrapping Up

Directory traversal allows an attacker to exploit security misconfigurations when attempting to view or modify sensitive information. This is one of the simpler attacks that can be performed, but the results can be catastrophic, especially if personal or financial data is being captured or if important information about the server is compromised and used as a pivot. As you can see, in the world of Hacking Information King

Cover image of Counseling / Pixabay; Screenshots of drd_ / zero byte

Source link