Today, I will talk about the vulnerability path traversal.
Table of contents:
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server.
In the context, I was exploiting a vulnerable VM, Seattle VM from vulnhub. It contains several web vulnerabilities.
The website allows the user to download a commercial brochure.
If the user hits the image, a download appears:
The PDF indicates clues for the vulnerabilities present on the server.
I will try to download another file from the server instead of the “Brochure.PDF” file.
To do it, I use a proxy when downloading the file:
I will try to download another file, for example the infamous “/etc/passwd”. I edit my request :
Then I forward it ! It works very well because a pop-up appears for saving the passwd file:
If I read it using my terminal…
I have access to the system user file ! The way of exploiting is to browse the filesystem arborescence such as:
So the payload is : ../../../../etc/passwd, the number of double dot is equal to the number of slash to go back to the root directory and then straight to the password file.
- Sanitize filenames parameters
- Check the presence of backtracking such as “..” or also “~” which permit going to the home directory
- Restrict filenames along with a knows good characters
By preventing this vulnerability, all sensitive document are remained safe.