Path Traversal Vulnerability
Directory traversal Bug
Hey Guys so today in this blog we going to discuss path traversal vulnerability which has a very high impact on bug bounty and we going to see some lab exercises in the portswigger lab
What is Path Traversal?
Path traversal or directory traversal allows the attacker to read the file or directory from the target server and sometimes it allows the user to write on the file of the target application
And the vulnerability falls under the category of broken access control according to OWASP's Top 10
Methodology
In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all parts of the application that accept content from the user. This also includes HTTP GET and POST queries and common options like file uploads and HTML forms.
Here are some examples of the checks to be performed at this stage:
- Are there request parameters which could be used for file-related operations?
- Are there unusual file extensions?
- Are there interesting variable names?
http://example.com/getUserProfile.jsp?item=ikki.htmlhttp://example.com/index.php?file=contenthttp://example.com/main.cgi?home=index.html- Is it possible to identify cookies used by the web application for the dynamic generation of pages or templates?
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flowerCookie: USER=1826cc8f:PSTYLE=GreenDotRed
Lab: File path traversal, simple case
This lab has very basic path traversal vulnerability and To solve the lab, retrieve the contents of the /etc/passwd file.
First, look at that blog to check the functionality which retrieves files in this case there is a filename parameter ?filename which retrieves the image from the Linux server
Next, capture that request using a burp
And forward that first request and sent the second request to the repeater (Here you can able to see the filename parameter)
Next change the 17.jpg to 33.jpg (this for test whether we can able to access the other file form here)
So we able to confirm that here we can be able to access the other image file. So next enter the payload
/../../../../etc/passwd #traversal path
Now you can able to successfully exploit path traversal vulnerability
File path traversal, traversal sequences blocked with absolute path bypass
The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.
What absolute path?
An absolute path is nothing exact path of that location
In Linux machines, the absolute path for password is /etc/passwd and the host is /etc/hosts
First, capture that request in burp and modify with absolute path /etc/passwd
File path traversal, traversal sequences stripped non-recursively
You might be able to use nested traversal sequences, such as ....// or ....\\/, which will revert to simple traversal sequences when the inner sequence is stripped.
//....//....//....//etc/passwd
Lab: File path traversal, traversal sequences stripped with superfluous URL-decode
The application blocks input containing path traversal sequences. It then performs a URL decode of the input before using it.
For this lab, I have used the burp intruder and there is a payload list called (Fuzzing — path traversal)
this only available for the pro user
If you are not pro user check out this link for wordlist https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
And use the tool called directory buster feroxbuster
Burpsuite Pro User
Capture that request send it to the intruder and add the payload position as $1$
change the payload list as (Fuzzing — path traversal)
Next, click the start attack
Check whether you getting a 200 Ok response on that attack if you get it is a bug
Lab: File path traversal, validation of start of path
In this lab, you are pretty sure that there is a path traversal bug because, in the filename parameter, you can able to see the Linux default server location
../../../etc/passwdLab: File path traversal, validation of file extension with null byte bypass
Nyte byte which is null character and it will elimate the part .png
Null character %00
../../../etc/passwd%00.pngThis is because the server validates the extension of the file to bypass this we are using null byte
In some cases you need to combine all payload
....//....//....//etc/passwd%00.pngI hope you will understand this article if you Like this please give applause for this article
