🛠️Directory traversal
Theory
Directory traversal (or Path traversal) is a vulnerability that allows an individual to read arbitrary files on a web server. Inputs that are not validated by the back-end server may be vulnerable to payloads such as "../../../". Using this method, an attacker can go beyond the root directory of the website, thus reaching arbitrary files hosted on the web server (/etc/passwd
, /etc/hosts
, c:/boot.ini
, etc.).
Notes
Some details are important to know beforehand.
Path separator
As the Owasp mentions, each operating system uses different characters as a path separator.
Unix-like OS:
Windows OS' Shell':
Classic Mac OS:
Windows
Files and directories are case-insensitive, so there's no need to try different payloads based on case sensitivity. Also, one has to make sure that the payloads don't use a fixed drive letter ("C:"), but more ("D:", "E:"...).
Directory traversal could lead to Remote Code Execution (RCE).
Practice
Tool
The tool dotdotpwn (Perl) can help in finding and exploiting directory traversal vulnerabilities by fuzzing the web app. However, manual testing is usually more efficient.
Manual testing
Reconnaissance
The first step is to find what kind of system is used (Linux, Windows...). One could do that by checking on which web technology is used (some technologies run on Linux while others run on Windows).
Next, finding the right parameter to inject is essential. Usually, a vulnerable parameter is one that requires a file that will be fetched by the back-end server using a path (form parameters, cookies...).
Then, to construct a payload, it's interesting to have a set of important files to search:
Filter bypass
Various filters could be set for a web application (using a Web Application Firewall for example). A set of bypass payloads can be found in PayloadsAllTheThings.
User privilege
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
There may be no "administrator" account, you have to guess the right one in that case.
If you can read either of these files, the file reading process has
LocalSystem
privileges.
Resources
Last updated
Was this helpful?