Before reading this post, quickly read out  http://en.wikipedia.org/wiki/Directory_traversal. You must be very confused now (after reading it).  Lets understand and apply what you have just read.
What is root directory of web server ?
It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

What does ../ or ..\ (dot dot slash) mean  ? 

The ..\ instructs the system to go one directory up.
For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.
Again on typing ..\ , we would rech at C:\xx .

      

Lets again go at location C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.

Note : Its ..\ on windows and ../ on UNIX like operating syatem.

What is Directory Transversel exploit ?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system.Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.
The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver. We do not know the actual names and contents of directories except 'etc' which is default name , So I have marked them as A,B,C,E or whatever.


                  

We are in directory in F accessing the webpages of website.

Lets type this in URL field and press enter
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd
This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing

Now type http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd
Now this will step up one directory (to directory E ) and look for 'etc' but again it will return nothing.

Now type http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd
Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd 

It takes us 5 directories up to the main drive and then to 'etc' directory and show us contents of 'passwd' file.


          

To understand the contents of 'passwd' file, click here

You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accessible only by privileged users.

Its not very important that how can you hack/deface a website using this vulnerability but its important that you understand what is it, how to find and fix it.


Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.

4 comments:

Post a Comment
  1. did not understand the NOTE part..
    regarding proc/self/environ..

    would b great if u could explain:)

  2. I like pie.

  3. I dont know how you do this please teach me

  4. By having access to /proc/self/environ on a unix or linux machine, you could inject PHP code that would give you a shell. Two ways of doing this are through error logs or through user agents. If you sent a GET request to a server that contained an LFI vulnerability, which would look like GET , you would get a 404 error from the web server. Since you recieved an error, the error will get placed in the error logs. Then, just visit the error log by "including" it through the lfi vulnerablity itself, and your PHP code will be executed. Or, you can replace your user agent with the above php code, and execute a search for /proc/self/environ. For example, if we have www.hack.com/index.php?page=../../../proc/self/environ, and we changed our user agent to the php code and then reloaded the page, then it would load our php code as a new user agent, and since our php code includes a system function with a 'cmd' parameter, we have to include the parameter in our URL like so-

    www.hack.com/index.php?page=../../../proc/self/environ?cmd=whoami

    And wherever you see your user agent in the /proc/self/environ file embedded in the web page would actually be the results of whoami, meaning you are now able to execute commands on the server. ;)

Post a Comment