Path Traversal

Today, I will talk about the vulnerability path traversal.

Table of contents:

  1. Introduction
  2. Topology
  3. Detection
  4. Exploitation
  5. Remediation
  6. Conclusion

Introduction

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server.

In the context, I was exploiting a vulnerable VM,  Seattle VM from  vulnhub. It contains several web vulnerabilities.

Topology

Detection

The website allows the user to download a commercial brochure.

If the user hits the image, a download appears:

The PDF indicates clues for the vulnerabilities present on the server.

Exploitation

I will try to download another file from the server instead of the “Brochure.PDF” file.

To do it, I use a proxy when downloading the file:

I will try to download another file, for example the infamous “/etc/passwd”. I edit my request :

Then I forward it ! It works very well because a pop-up appears for saving the passwd file:

If I read it using my terminal…

I have access to the system user file ! The way of exploiting is to browse the filesystem arborescence such as:

So the payload is : ../../../../etc/passwd, the number of double dot is equal to the number of slash to go back to the root directory and then straight to the password file.

Remediation

  • Sanitize filenames parameters
  • Check the presence of backtracking such as “..” or also “~” which permit going to the home directory
  • Restrict filenames along with a knows good characters

Conclusion

By preventing this vulnerability, all sensitive document are remained safe.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *