iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (0)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
How this directory traversal attack works?
  • mandi
    Posts: 207
    I just seen a url of a hacked site from some where else


    http://www.indonesia-colombo.lk/download.php?file=../../../../../../../../../../etc/passwd


    I am interested in understanding about how this kind of attack works? but as a beginner in web-app security i do have some questions
    about these attack,so decided to ask here..

    1) for example in the above url how exactly they traversed the password file?

    2)And what does the . represents? and why 2 dots have been placed there?

    3)Also as the site is a php site,don't the php have any buid in basic defenses for this kind of directory traversal attacks?
    and in general what kind of defenses does a php site have against this attack?

    4)Where can i learn more about this particular attack vector?I tried a while doesn't able to find any useful tutorial/videos for this thing...

    Hope i will got my doubts cleared....
  • Xin
    Posts: 3,251
    1. This will be answered by the other questions

    2. You know in windows and linux when you go up a folder on the command line, you type
    cd ..
    Basically ../../../ is going up to the root directory, as if it was just

    /etc/passwd it wouldnt work as /etc/passwd wont exist in /var/www.

    3.Its todo with an insecurity in the php.ini / config file and unsanitised get requests. Easy to defend against, its just poor config.


    4. Im writing some tutorials myself on this atm, but theres plenty on google if you look.
    Xin
  • mandi
    Posts: 207
    Thanks for the explanation xinapse,between this kind of traversal attacks works on all other sites like asp,html and jsp sites? or works only in php sites?

    Also it seems i tried the wrong key-words in google for searching directory traversal tutorials,can you suggest me some correct key-words,so that i can find on my own :)...
  • Xin
    Posts: 3,251
    By the way this attack is called Local File Inclusion / Local File Download depending on how you use it directory traversal is slightly different i think, i issume its possible for it woork on asp,x but not html. As for dorks there not going to be as high success rate as SQLi but try things like inurl:page.php?= things like that.
    Xin
  • m0rph
    Posts: 332
    Local File Inclusion Broken Down by m0rph
    -------------------------------------------

    So you're browsing a site, and you see it's url is shaped something like this:

    www.site.com/index.php?main=page.html


    If you have your own apache server, give this script a shot, it should be insecure enough for you to actually be able to carry out this attack.

    #contents for index.php
    <?php
    include($_GET[\"main\"]); #includes a desired file through a get request
    ?>

    Since you asked, I'll give you a little break down of the script. I'll do this by order of operations, so below you'll see php's way of getting user input.

    $_GET[\"main\"]; #Sample get request for the variable \"main.\" This causes the ?main= in the url

    Below here, you will see the include function for php...this function includes files obviously.

    include(); #function for including files

    So down to the nitty gritty, the include function will be including a specified file through a get request. PHP automatically displays the resulting page, so no need to add any additional statements.

    So if you put "../../etc/passwd" in a get request that is unsanitized, you will be making our php script above change directories to that of "/etc" and it will include the passwd file commonly seen in *nix distros.

    Normally you'll have to guess how many directories you need to go up before you reach the root directory. Like so:
    \"../etc/passwd\"
    \"../../etc/passwd\"
    \"../../../etc/passwd\"

    and so on, but normally it's anywhere between 4 and 7 directories. 4 if there's no virtual hosts, and 7 if there is a forum installed on a virtual host.

    ironically, this entire process can be avoided by putting this code into your php pages after you've checked them for errors/misconfigurations:

    <?php
    error_reporting(0);
    ?>


    regards,
    m0rph
    while( !(succeed = try() ) );
Add a Comment