قالب وردپرس درنا توس
Home / Tips and Tricks / How to use a Directory Traversal code execution executable «Null Byte :: WonderHowTo

How to use a Directory Traversal code execution executable «Null Byte :: WonderHowTo



Directory Traversal or Path Traversal is an HTTP attack that allows attackers to access restricted directories using .. / characters to return to files or directories outside the root folder. If a Web application is vulnerable, an attacker may be able to access restricted files that contain information about all the registered users of the system, their permissions, and encrypted passwords.

Depending on user permissions, web applications give users access, such as read and write, to an attacker who can use directory path traversal to not only read sensitive files, but also replace system files with their own.

In a web app that allows users to download files, we can see if they are vulnerable to path traversal using the dot-dot slash (../). This is the way of GNU-Linux / Unix to get back to the parent directory from the current directory. We navigate from the root directory of the app (usually referred to as / app) back to directories closer to the system files. Eg /etc/passwd.[1

9659002dslWennSieeineWebanwendungdurchsuchenlautetdieURL:[19659005] http://shopping-site.com/get-files.php?file=clothing

You can search for a path trait vulnerability by using ../ to get into a system critical directory and put it in a System Critical Directory:

  http: //shopping-site.com/get-files? file = .. / .. / .. / .. / etc / passwd 

While the attack seems simple, it still affects apps and devices today. Recently, the security research team at ForeScout, a cybersecurity firm, investigated devices used in BAS networks to control energy-using devices such as HVAC and lighting controls in buildings. A path crossing vulnerability was one of the many vulnerabilities found in the devices.

In this tutorial, we will turn a vulnerability for traversing paths in the vulnerable Google Gruyere web application into a code execution vulnerability. The tool we use is the Burp Suite Community Edition. Burp is a listening proxy that acts as a man-in-the-middle feature by capturing every request to and from the destination web app so that the pentester can edit, read, and play individual HTTP requests to look for weak points and injection points.

Step 1: Visit Google Gruyere in your browser.

Before you begin configuring proxy settings, setting up Burp Suite, and starting Gruyere, first open your web browser from the Gruyere homepage. Do not click on anything, we will agree and start in a future step.

Step 2: Configure your browser for Burp Suite

If you have no Burp Suite on your computer, you can Download and install on macOS, Linux and Windows. Under Kali Linux, the Community Edition is already installed. You then need to download Burp's CA certificate and then configure your browser to forward traffic to Burp's proxy. PortSwigger, the company behind Burp Suite, has excellent instructions on how to set up the CA certificate that you can follow.

To configure your browser to route traffic so that Burp can intercept HTTP and HTTPS requests from a web app, you must set up a proxy configuration guide in your browser. The settings are usually in "Proxy" or "Network Proxy". Set the HTTP proxy to 127.0.0.1 for port 8080. These are the default values ​​Burp uses on startup.

should look like in Firefox.

Step 3: Enable Burp to capture requests from the web app

Keep your browser open for the tested web app (in this case the Google Gruyere homepage) and start Burp Suite. Create a temporary project (this is always the case as all other options are reserved for Burp Suite Pro) and then select "Use Burp Defaults". Burp Defaults will continue to run with the default proxy settings of 127.0.0.1:8080] How to use the Directory Traversal code execution vulnerability "width =" 480 "height =" 480 "style =" max " width: 532px; height: auto; "/>

Step 4: Agree and Start Your Gruyere Session

Now it's time to return to the Gruyere home page, which we opened in Step 1 Nothing will happen By default, Burst's "Proxy" tab is set to "Intercept", which means that your web app will "hang" in the browser "as if it is being loaded as it waits for Burp to either forward, drop, or respond to the request."

Step 5: Begin mapping the web app to Burp's spider tool. 19659011 ] We use Burp's Spider to check the contents of W to determine eb app. As we navigate through the web app, follow the links, submit forms, and create an account, Spider stores all the content of the web app and the navigation paths in Burp to create a sitemap for the web app.

The browser's tab should still hang and wait for your action in Burp. Activate the "Proxy" tab and you will notice that the GET request has been "captured" to the Gruyere homepage. Right-click the GET request and click Send to Spider.

Next, you will be asked if you want to add the item to the spider scope or not. Select Yes to add the web app host to the target area so that Burp recognizes the link of the app that will begin parsing content.

Then select "No" prompted with the Proxy History Logging . This ensures that you have a wide range, making it easier for you to find other destinations. Sending out-of-scope items may cause portals to be discovered on other portals that have a part of the web app registered, such as a Web portal. How to Use Directory Traversal to Execute Code ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

On the Proxy tab, click Intercept is on to disable it (19659026) we do not need it anymore), and the Gruyere page should now be loaded in the browser.

The spider starts with the request A web page that analyzes the links for content, requests links, and repeats this process recursively for each link found in the web app. Burp's Destination tab creates and accesses a site map.

The Spider also prompts you with form logons to recursively map the content. Complete these prompts in Burp Suite. Instead, we create a user right in the browser and then log in from there to get a better picture of what's available on the user's home page.

Step 6: Identifying Features in the Web Application [19659011] While the Spider is actively discovering content and analyzing every page you visit, it's time to figure out what features a user can access the web app. To do this, you must first create an account, click "Sign in" and create an account. The goal is to manually explore the web app while a normal user runs Burp's Spider in the background to collect all the paths you visit.

] Step 7: Finding a Path to the Parent Directory

If you have a user account and signed in, you will Welcomed by a UI with a navigation bar, for example, to create snippets, display clippings and upload files. In this tutorial, we'll focus on the web app upload functionality because there is a code execute path traversal vulnerability.

Click Upload, and then upload the file you want to the application. In my case, I uploaded a JPG image of a cat. Gruyere shares this file through the path following this basic naming convention:

  site.com/username/file 

You can link to your uploaded file next to "Accessable to File."

Copy the file link to the URL bar of your browser. This is the case if you can play around with it to look for a pathway vulnerability. Enter ../ secretfile after the URL of the file (see below). If the URL does not end with a / (slash), insert the following: before ../secretfile .

  https://google-gruyere.appspot.com/611736743737724261985693574747/test/cat.jpg/../secretfile[19659006Afterpressing Enter . An error should be displayed because the secret file can not be found in the current directory. Now try adding to the parent directory of The App with  site.com/username/secretfile . 

It can be seen that the application omits the ./characters to execute and traverse the characters. For some web apps, the app deletes the characters when entering the .. / characters and does not allow tracing back to parent directories.

Exploiting file uploads with a path transition

Deploying uploaded content via ] username / file and if users can search the directory using .. / characters, this is the perfect candidate for a Vulnerability in Path Traversal.

Since the web app runs the ../function, the user can return to parent directories - a path crossing in the file upload feature - it is possible for an attacker to have a file that is important to the web application infrastructure File can replace.

Depending on the uploaded file, path traversal can be performed in code. If you want to know what kind of file to upload to trigger a code execution, check the spider to see how the web app is mapped.

Step 8: Analyze the Source Code in Important Files

Go back Burp, and check the "Sitemap" tab in the "Destination" section. The spider should have analyzed many paths because you navigated manually in the web app. There is a very interesting "code" directory with a file called "gruyere.py" as well as many other Python and GTL files, as shown in the figure below.

Note some in the resources directory The GTL files are also named after the functionality that appears in the user's navigation bar when you are logged in to Gruyere as a user. These login.gtl, newsnippet.gtl, and upload.gtl files are not files with the code that users can use to log in, create snippets, and upload files to Google Gruyere.

When reading the Python gruyere.py file (shown below), the application displays logic that will restart the server in a while Loop. The while loop repeats to handle requests until the condition of quit_server is met. This condition is met when the user navigates to / quitserver. (19659059) How to Use a Directory Traversal Code Execution Vulnerability " width="532" height="532" style="max-width:532px;height:auto;"/>

Another interesting Python file has been discovered. gtl.py. "Reading the code seems to be the Python file that creates the GTL template language for the files that use the .gtl extension, which can be found by reading the beginning of the multi-line comment that comes with A triple quotation mark ("") in Python begins: Gruyere Template Language Part of Gruyere, a web application with holes.

After the files are first discovered, we know that Gruyere is a web app that uses a template language called GTL. The templating language is created by the Python file named gtl.py for the whole logic of files ending in .gtl.

If we think like an attacker, we could pass the gtl.py file through then we can rewrite the infrastructure of the site and thus have the application already we If we want to replace the file "gtl.py", we could use the file upload feature by adding our own "gtl.py" file. Create a py file and name it ../ gtl.py .

Note that f files and their naming with characters like ../ will trigger an error on Windows and macOS be bypassed by creating a user named .. . (dot) on Gruyere.Then from the account of .. user, upload our own "gtl.py" and restart the web application by clicking / quitserver nav in the URL bar igieren. If you remember, we discovered / quitserver when the spider found the file "gruyere.py".

Because Gruyere is a deliberately vulnerable Web application, it is a warning that the "Gruyere System Alert" server should be displayed. The server is restarted and was "0wnd.".

Real-Time Code Execution Can be Worse

A real-world scenario of successful code execution would do much more harm. For example, the latest news about Remote Code Execution in Package Manager, which is used to update and install tools used by Debian, Ubuntu, and other popular GNU Linux distributions.

The RCE Attack 2019, discovered in January, allows opponents to perform man-in-the-middle attacks and arbitrary code as the root user (the highest-privileged user in GNU Linux) on any computer perform. A random attacker who can access your computer as the root user would cause havoc as he can install arbitrary files on the system.

Prevent this from happening

Ways to Prevent a Path Traversal Vulnerability in a File Uploading Complete the path violation fix then unrestricted upload of files.

For example, to prevent path traversal, a web app should avoid dynamically reading files based on user input. Second, to prevent malicious files from being uploaded, it has a strict whitelist about what kind of content, file types and names can be uploaded.

Gruyere allows users to upload a .py file to a Python file. However, a whitelist that prevents uploading Python, JavaScript, and PHP filenames, as well as checking for double-extension filenames in case an attacker uses the code.py.jpg extension, can make uploading an attacker difficult Server.

Cover Picture, Screenshots and GIFs of Ginsa0x8 / Null Byte

Source link