✅Directory Traversal
Introduction
An absolute path is a complete path to a file or directory from the root directory.
The root directory is the top-level directory of the file system and is represented by a forward slash (/).
Absolute paths always start with the root directory and provide the full path to the file or directory.
A relative path is a path to a file or directory that is relative to the current directory.
To move back one directory, we can use ../. To move more than one directory backwards, we can combine multiple ../ sequences.
The number of ../ sequences is only relevant until we reach the root file system. Theoretically, we can add as many ../ as we want, since there is nowhere further back to go from /.
In this case, we could specify a large number of ../ to ensure we reach the root file system from a relative pathing perspective.
Directory Traversal attacks, also known as path traversal attacks. is a type of attack that can be used to access sensitive files on a web server and typically occurs when a web application is not sanitizing user input.
We should always check for vulnerabilities by hovering over all buttons, checking all links, navigating to all accessible pages, and (if possible) examining the page's source code. Links can be an especially valuable source of information, providing parameters or other data about the application.
Because leveraging ../ is a known way to abuse web application behavior, this sequence is often filtered by either the web server, web application firewalls, or the web application itself. Fortunately for us, we can use URL Encoding, also called Percent Encoding, to potentially bypass these filters.
Windows uses backslashes instead of forward slashes for file paths. Therefore, ..\ is an important alternative to ../ on Windows targets.
Some web applications on Windows are only vulnerable to directory traversal using backslashes. Therefore, we should always try to leverage both forward slashes and backslashes when examining a potential directory traversal vulnerability in a web application running on Windows.
Case 1
Let's say we got this link:
https://example.com/cms/login.php?language=en.htmlFirst,
login.phptells us the web application uses PHP. We can use this information to develop assumptions about how the web application works, which is helpful for the exploitation phase.Second, the URL contains a language parameter with an HTML page as its value. In a situation like this, we should try to navigate to the file directly
https://example.com/cms/en.html. If we can successfully open it, we can confirm thaten.htmlis a file on the server, meaning we can use this parameter to try other file names. We should always examine parameters closely when they use files as a value.Third, the URL contains a directory called cms. This is important information indicating that the web application is running in a subdirectory of the web root.
We can start testing by trying to access different files by passing the file name to the parameter.
During web application assessments, we should understand that as soon as we've identified a possible vulnerability, such as with the "page" parameter in this case, we should not rely on a browser for testing. Browsers often try to parse or optimize elements for user-friendliness.
When performing web application testing, we should mainly use tools such as Burp, cURL, or a programming language of our choice.
Files to Look for
In Linux, SSH keys are usually located in the home directory of a user in the
.sshfolder,/home/<Username>/.ssh/id_rsa(i.e./home/kali/.ssh/id_rsa)On Windows, we can use the file
C:\Windows\System32\drivers\etc\hoststo test directory traversal vulnerabilities, which is readable by all local users.For IIS we can try to access the logs which are located at
C:\inetpub\logs\LogFiles\W3SVC1\Another file we should always check when the target is running an IIS web server is
C:\inetpub\wwwroot\web.config, which may contain sensitive information like passwords or usernames.
Last updated