Directory Traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories using .. / characters to return to files or directories outside the root folder. If a Web application is vulnerable, an attacker may be able to access restricted files that contain information about all the registered users of the system, their permissions, and encrypted passwords.
Depending on user permissions, web applications give users access, such as read and write, to an attacker who can use directory path traversal to not only read sensitive files, but also replace system files with their own.
In a web app that allows users to download files, we can see if they are vulnerable to path traversal using the dot-dot slash (../). This is the way of GNU-Linux / Unix to get back to the parent directory from the current directory. We navigate from the root directory of the app (usually referred to as / app) back to directories closer to the system files. Eg /etc/passwd.[1
While the attack seems simple, it still affects apps and devices today. Recently, the security research team at ForeScout, a cybersecurity firm, investigated devices used in BAS networks to control energy-using devices such as HVAC and lighting controls in buildings. A path crossing vulnerability was one of the many vulnerabilities found in the devices.
In this tutorial, we will turn a vulnerability for traversing paths in the vulnerable Google Gruyere web application into a code execution vulnerability. The tool we use is the Burp Suite Community Edition. Burp is a listening proxy that acts as a man-in-the-middle feature by capturing every request to and from the destination web app so that the pentester can edit, read, and play individual HTTP requests to look for weak points and injection points.
To configure your browser to route traffic so that Burp can intercept HTTP and HTTPS requests from a web app, you must set up a proxy configuration guide in your browser. The settings are usually in "Proxy" or "Network Proxy". Set the HTTP proxy to 127.0.0.1 for port 8080. These are the default values Burp uses on startup.
Step 3: Enable Burp to capture requests from the web app
Keep your browser open for the tested web app (in this case the Google Gruyere homepage) and start Burp Suite. Create a temporary project (this is always the case as all other options are reserved for Burp Suite Pro) and then select "Use Burp Defaults". Burp Defaults will continue to run with the default proxy settings of 127.0.0.1:8080] How to use the Directory Traversal code execution vulnerability "width =" 480 "height =" 480 "style =" max " width: 532px; height: auto; "/>
Step 5: Begin mapping the web app to Burp's spider tool. 19659011 ] We use Burp's Spider to check the contents of W to determine eb app. As we navigate through the web app, follow the links, submit forms, and create an account, Spider stores all the content of the web app and the navigation paths in Burp to create a sitemap for the web app.
The browser's tab should still hang and wait for your action in Burp. Activate the "Proxy" tab and you will notice that the GET request has been "captured" to the Gruyere homepage. Right-click the GET request and click Send to Spider.
Next, you will be asked if you want to add the item to the spider scope or not. Select Yes to add the web app host to the target area so that Burp recognizes the link of the app that will begin parsing content.
Then select "No" prompted with the Proxy History Logging . This ensures that you have a wide range, making it easier for you to find other destinations. Sending out-of-scope items may cause portals to be discovered on other portals that have a part of the web app registered, such as a Web portal. How to Use Directory Traversal to Execute Code ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>
On the Proxy tab, click Intercept is on to disable it (19659026) we do not need it anymore), and the Gruyere page should now be loaded in the browser.
The spider starts with the request A web page that analyzes the links for content, requests links, and repeats this process recursively for each link found in the web app. Burp's Destination tab creates and accesses a site map.
The Spider also prompts you with form logons to recursively map the content. Complete these prompts in Burp Suite. Instead, we create a user right in the browser and then log in from there to get a better picture of what's available on the user's home page.
Step 6: Identifying Features in the Web Application  While the Spider is actively discovering content and analyzing every page you visit, it's time to figure out what features a user can access the web app. To do this, you must first create an account, click "Sign in" and create an account. The goal is to manually explore the web app while a normal user runs Burp's Spider in the background to collect all the paths you visit.
] Step 7: Finding a Path to the Parent Directory
If you have a user account and signed in, you will Welcomed by a UI with a navigation bar, for example, to create snippets, display clippings and upload files. In this tutorial, we'll focus on the web app upload functionality because there is a code execute path traversal vulnerability.
Click Upload, and then upload the file you want to the application. In my case, I uploaded a JPG image of a cat. Gruyere shares this file through the path following this basic naming convention:
You can link to your uploaded file next to "Accessable to File."
Copy the file link to the URL bar of your browser. This is the case if you can play around with it to look for a pathway vulnerability. Enter ../ secretfile after the URL of the file (see below). If the URL does not end with a / (slash), insert the following: before ../secretfile .
https://google-gruyere.appspot.com/611736743737724261985693574747/test/cat.jpg/../secretfile[19659006Afterpressing Enter . An error should be displayed because the secret file can not be found in the current directory. Now try adding to the parent directory of The App with site.com/username/secretfile .
It can be seen that the application omits the ./characters to execute and traverse the characters. For some web apps, the app deletes the characters when entering the .. / characters and does not allow tracing back to parent directories.
Exploiting file uploads with a path transition
Deploying uploaded content via ] username / file and if users can search the directory using .. / characters, this is the perfect candidate for a Vulnerability in Path Traversal.
Since the web app runs the ../function, the user can return to parent directories - a path crossing in the file upload feature - it is possible for an attacker to have a file that is important to the web application infrastructure File can replace.
Depending on the uploaded file, path traversal can be performed in code. If you want to know what kind of file to upload to trigger a code execution, check the spider to see how the web app is mapped.
Step 8: Analyze the Source Code in Important Files
Go back Burp, and check the "Sitemap" tab in the "Destination" section. The spider should have analyzed many paths because you navigated manually in the web app. There is a very interesting "code" directory with a file called "gruyere.py" as well as many other Python and GTL files, as shown in the figure below.
Note some in the resources directory The GTL files are also named after the functionality that appears in the user's navigation bar when you are logged in to Gruyere as a user. These login.gtl, newsnippet.gtl, and upload.gtl files are not files with the code that users can use to log in, create snippets, and upload files to Google Gruyere.
When reading the Python gruyere.py file (shown below), the application displays logic that will restart the server in a while Loop. The while loop repeats to handle requests until the condition of quit_server is met. This condition is met when the user navigates to / quitserver. (19659059) How to Use a Directory Traversal Code Execution Vulnerability " width="532" height="532" style="max-width:532px;height:auto;"/>
Another interesting Python file has been discovered. gtl.py. "Reading the code seems to be the Python file that creates the GTL template language for the files that use the .gtl extension, which can be found by reading the beginning of the multi-line comment that comes with A triple quotation mark ("") in Python begins: Gruyere Template Language Part of Gruyere, a web application with holes.
After the files are first discovered, we know that Gruyere is a web app that uses a template language called GTL. The templating language is created by the Python file named gtl.py for the whole logic of files ending in .gtl.
If we think like an attacker, we could pass the gtl.py file through then we can rewrite the infrastructure of the site and thus have the application already we If we want to replace the file "gtl.py", we could use the file upload feature by adding our own "gtl.py" file. Create a py file and name it ../ gtl.py .
Note that f files and their naming with characters like ../ will trigger an error on Windows and macOS be bypassed by creating a user named .. . (dot) on Gruyere.Then from the account of .. user, upload our own "gtl.py" and restart the web application by clicking / quitserver nav in the URL bar igieren. If you remember, we discovered / quitserver when the spider found the file "gruyere.py".
Because Gruyere is a deliberately vulnerable Web application, it is a warning that the "Gruyere System Alert" server should be displayed. The server is restarted and was "0wnd.".
Real-Time Code Execution Can be Worse
A real-world scenario of successful code execution would do much more harm. For example, the latest news about Remote Code Execution in Package Manager, which is used to update and install tools used by Debian, Ubuntu, and other popular GNU Linux distributions.
Ways to Prevent a Path Traversal Vulnerability in a File Uploading Complete the path violation fix then unrestricted upload of files.
For example, to prevent path traversal, a web app should avoid dynamically reading files based on user input. Second, to prevent malicious files from being uploaded, it has a strict whitelist about what kind of content, file types and names can be uploaded.
Cover Picture, Screenshots and GIFs of Ginsa0x8 / Null Byte