Path Traversal Vulnerability
2023-5-21 20:48:48 Author: infosecwriteups.com(查看原文) 阅读量:41 收藏

Directory traversal Bug

Vignesh

InfoSec Write-ups

Hey Guys so today in this blog we going to discuss path traversal vulnerability which has a very high impact on bug bounty and we going to see some lab exercises in the portswigger lab

What is Path Traversal?

Path traversal or directory traversal allows the attacker to read the file or directory from the target server and sometimes it allows the user to write on the file of the target application

And the vulnerability falls under the category of broken access control according to OWASP's Top 10

Methodology

In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. This also includes HTTP GET and POST queries and common options like file uploads and HTML forms.

Here are some examples of the checks to be performed at this stage:

Lab: File path traversal, simple case

This lab has very basic path traversal vulnerability and To solve the lab, retrieve the contents of the /etc/passwd file.

First, look at that blog to check the functionality which retrieves files in this case there is a filename parameter ?filename which retrieves the image from the Linux server

Next, capture that request using a burp

And forward that first request and sent the second request to the repeater (Here you can able to see the filename parameter)

Next change the 17.jpg to 33.jpg (this for test whether we can able to access the other file form here)

So we able to confirm that here we can be able to access the other image file. So next enter the payload

/../../../../etc/passwd #traversal path

Now you can able to successfully exploit path traversal vulnerability

File path traversal, traversal sequences blocked with absolute path bypass

The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.

What absolute path?

An absolute path is nothing exact path of that location

In Linux machines, the absolute path for password is /etc/passwd and the host is /etc/hosts

First, capture that request in burp and modify with absolute path /etc/passwd

File path traversal, traversal sequences stripped non-recursively

You might be able to use nested traversal sequences, such as ....// or ....\\/, which will revert to simple traversal sequences when the inner sequence is stripped.

//....//....//....//etc/passwd

Lab: File path traversal, traversal sequences stripped with superfluous URL-decode

The application blocks input containing path traversal sequences. It then performs a URL decode of the input before using it.

For this lab, I have used the burp intruder and there is a payload list called (Fuzzing — path traversal)

this only available for the pro user

If you are not pro user check out this link for wordlist https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt

And use the tool called directory buster feroxbuster

Capture that request send it to the intruder and add the payload position as $1$

change the payload list as (Fuzzing — path traversal)

Next, click the start attack

Check whether you getting a 200 Ok response on that attack if you get it is a bug

In this lab, you are pretty sure that there is a path traversal bug because, in the filename parameter, you can able to see the Linux default server location

../../../etc/passwd

Nyte byte which is null character and it will elimate the part .png

Null character %00

../../../etc/passwd%00.png

This is because the server validates the extension of the file to bypass this we are using null byte

In some cases you need to combine all payload

....//....//....//etc/passwd%00.png

I hope you will understand this article if you Like this please give applause for this article


文章来源: https://infosecwriteups.com/path-traversal-vulnerability-28d6de8fb5d7?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh