Path Traversal (Includes special encoding types and tips!!!) - Submitted By: t3hmadhatt3r 2009-05-19 21:06:16
Hi there.... This is a guide to show you where path traversal usually occurs, how to test for path traversal, and how to bypass filters.
Most people think path traversal is dead... Not necessarily... Path traversal in still happening on sites. And not just some small sites. Large companys sites can have a path traversal vuln too.
.:Finding path traversal:.
Path traversal obviously occurs when a web application is reading data from a backend file system. I will show the places I usually find path traversal.
1a. Downloaders and Uploaders.
Well, its pretty obvious why downloaders are a good place to check (../../../../etc/passwd anyone?? ) but, why uploaders? Well lets say a site you want to hack is on shared hosting. You manage to get an account there and intentionally upload a shell or backdoor. Well the problem is the shell only affects your site or file system. If you find a path traversal flaw in the uploader you could upload you backdoor to their site or even to the root of the filesystem. Always check downloaders and uploaders for path traversal!
Note: A good way to test downloaders is to use Free Download Manager. It is a tool that allows you to manage downloads (Obviously) and not a hacking too in anyway but, You get a popup when you donwload something showing the url of the download. You can then edit the url to your choice. To get FDM click
http://www.freedownloadmanager.org/.
1b. Server request.
Exploiting the server this way has been found in many different servers. It occurs when changing the http request to path traverse. I have an example because it makes it easier to explain.
Code:
http://www.site.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwdAs you can see, the example code above uses special encoding to bypass filters which we will talk about soon.
Note: This particular exploit works on apache tomcat (Idk what version but, its a good example).
Another Note: The %c0%ae represents one dot or period.
1c. Text files, Pdfs, and other documents.
You may find path traversal in areas where documents are being read from the filesystem. Always looks for variables like doc=, page=, file= etc. These might be vulnerable to path traversal.
.:Testing for path Traversal:.
2a.Sometimes you need to know if its vuln...And quick. I will show you one of the best ways.If you have a site like /
Code:
http://www.site.com/doc=test.pdfThen you can test for path traversal like so /
Code:
http://www.site.com/doc=/foo/../test.pdfWhat we are doing here is making up a folder called foo and using ../ to go the folder we were originally in. If you don't get any errors it is probally vuln! Now, just because that test worked it doesn't mean that you can access the file system so, lets do some more test to see what exactly we've got here....
Note: These test strings try to access common files on windows and/or linux systems.
2b. Test Strings
This one attempts to read the boot.ini from the root of the file system.
Code:
../../../../../../../../../../../../boot.ini
Its pretty obvious what this one trys to do.
Code:
../../../../../../../../../../../../etc/passwd
Tip: If the test didn't succeed then you might just have a strangely built file system or the files just don't exist. Try to enumerate the site for obvious file names etc... Or, if you have found a folder or file name through an error message (This is called leveraging error messages) try it instead.
Note: If you have found that you are not interacting with backend file system you can still do useful things with path traversal... Do give up yet.
.:Using path traversal when you can't access the file system:.
3a. Sometimes path traversal only lets you traverse the websites files... It may not seem very useful but, we can still use it to our advantage. The main thing this is good for is downloading sources of files. Sometimes we need to see what certain static files are doing on a website. We may be able to use path traversal to access them and download them. Always try this even if you can access the file system because it can be very useful in learning how the application works.
.:Bypassing Filters:.
4a.This section of the tutorial is all about filter bypass (As the title says ). I will show you some encocing tricks that will help you get passed, not only path traversal filters but, you can use the same encoding types to get past XSS filters as well.
First we'll talk about URL encoding. URL encoding is used to bypass many filters and is probally blacked by any good filter but, we should try it anyway. Here are some URL encoded traversal strings...
Code:
dot %2e
forward slash %2f
backslash %5c
Ok, now we will talk about 16 biT unicode encoding... Some 16 bit unicode traversal strings are /
Code:
dot %u002e
forward slash %u2215
backslash %u2216
On to double URL encoding... Double URL encoding is basically what it sounds like, encoding that strings two times.
Code:
dot %252e
forward slash %252f
backslash %255c
Overlong encoding. This type of encoding is not very well known. I found it possible on some systems but, not on all of them. Basically encoding the strings many times in different ways. This can confuse the filters and bypass them completely.
Code:
dot1 %c0%2e
dot2 %e0%40%ae
dot3 %c0ae // Recognize this??? I used %c0ea in the Server Request example earlier.
forward slash1 %c0%af
forward slash2 %e0%80%af
forward slash3 %c0%2f
backslash1 %c0%5c
backslash2 %c0%80%5c
.:End:.
This concludes my path traversal tutorial...Hope you liked it. Please leave comments and suggestions . Thanks...
