PentesterLab -- Web for Pentester - Directory Traversal
Web for Pentester directory traversal: This exercise is a set of the most common web vulnerabilities
Difficluty: 1/5
Tool: Burp Suite Firebug
Example 1
code review:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | |
The developer does not filter $file = $_GET['file'];, so that I can just use file=../../../../../../../../etc/passwd to get etc/passwd
manual exploit:
http://192.168.79.162/dirtrav/example1.php?file=../../../../../../../../etc/passwd
Burp exploit:
Example 2
code review:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | |
The developer tried to filer file by using /var/www/files/, so if I just use file=etc/passwd wont’t work. However I can use file=/var/wwww/files/../../../../../etc/passwd to get passwd file.
manual exploit:
http://192.168.79.162/dirtrav/example2.php?file=/var/www/files/../../../../etc/passwd
Example 3
code review:
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
The developer tried to filter the file var. However, I can still use Null character to bypass it. The web application will check the path extension and verify that it is a .png file, bypassing the filter. When this path is passed to the filesystem, the null byte character effectively tells the filesystem to ignore anything that comes after it. When the path is resolved by the filesystem, it interprets the directory traversal vulns and transforms ‘/var/www/images/../../../etc/passwd%00new.png’ into ‘/etc/passwd’.
manual exploit:
http://192.168.79.162/dirtrav/example3.php?file=../../../../etc/passwd%00.png