In web applications, directory traversal vulnerability is one of the most common vulnerabilities. This lab will introduce the fundamental principles of directory traversal vulnerability and demonstrate its exploitation methods through two hands-on experiments.
In this step, we will explore the basics of directory traversal vulnerability and how it can be exploited.
First, run the following command to quickly deploy the lab environment (skip if already deployed):
docker run -d -p 82:80 --name pentesterlab-WebforPentest-1 -it jewel591/vulnbox:pentesterlab-WebforPentest-1 /bin/sh -c 'service apache2 start && tail -f /var/log/apache2/error.log' --registry-mirror='https://registry.docker-cn.com'Open your web browser and navigate to the following address:
http://localhost:82You will see several icons under "Directory traversal". Right-click the icon labeled "Example1" and copy the image address.
Open a new browser tab and paste the copied address. The URL should look similar to this:
http://localhost:82/dirtrav/example1.php?file=hacker.pngThe key code in example1.php is as follows:
<?php
$UploadDir = '/var/www/files/';
$file = $_GET['file'];
$path = $UploadDir . $file;
$handle = fopen($path, 'rb');
?>As you can see, the $path variable is constructed by concatenating $UploadDir and $file without any filtering or validation. This allows us to read files outside the intended directory by modifying the file parameter.
Since the server is running on a Linux system, we can try to read the /etc/passwd file. First, try the following payload:
http://localhost:82/dirtrav/example1.php?file=/etc/passwdThere will be no output, as the file parameter specifies a relative path from the current directory. To access the /etc/passwd file, we need to use the ../ sequence to traverse up the directory structure. Try the following payload:
http://localhost:82/dirtrav/example1.php?file=../../../../../../../../etc/passwdYou should now see the contents of the /etc/passwd file displayed in the browser.
In this step, we will learn how to bypass restrictions imposed by the server to exploit the directory traversal vulnerability successfully.
Right-click the icon labeled "Example3" and copy the image address. Open a new browser tab and paste the copied address.
Try to read the /etc/passwd file using the previous method, but it should fail.
Let's examine the example3.php code to understand the reason:
<?php
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file.".png";
$path = preg_replace('/\x00.*/',"",$path);
if (!is_file($path))
die();
$handle = fopen($path, 'rb');
?>The key line is:
$path = $UploadDir . $file.".png";The server automatically appends the .png extension to the file parameter, effectively changing the accessed file to /etc/passwd.png, which doesn't exist.
To bypass this restriction, we can use the classic %00 null byte truncation technique:
http://localhost:82/dirtrav/example3.php?file=../../../../etc/passwd%00The %00 null byte truncates the .png extension, allowing us to read the contents of the /etc/passwd file successfully.
In this lab, we explored the principles of directory traversal vulnerability and learned how to exploit it through hands-on experiments. We also covered techniques to bypass restrictions imposed by the server. This vulnerability can be used to gain valuable information about the server, such as user accounts, running services, and database credentials, which can aid in the information gathering phase of a penetration test.