Directory Traversal

Directory Traversal: This technique prints the content of a specified file. For example, if you load a file named "file.log," it will display the content of this log file. Essentially, this allows access to files beyond the web directory.

Way to identify:

# Example: 
http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd

There will be a parameter loading file. We can try payload to identify this vulnerability.

PayloadsAllTheThings/Directory Traversal at master · swisskyrepo/PayloadsAllTheThingsGitHub

PayloadsAllTheThings/Directory Traversal/Intruder at master · swisskyrepo/PayloadsAllTheThingsGitHub

We can use burp suite intruder to test all parameter at once.

Exploiting it.

We can check for sensitive files

/etc/passwd: contains user account details (Linux)
/etc/shadow: contains password hashes (Linux, if accessible)
C:\windows\system32\config\SAM: contains user password hashes (Windows)
C:\inetpub\wwwroot\web.config: potentially sensitive configuration data for web servers running on Windows
Windows host file location: C:\Windows\System32\drivers\etc\hosts

Reading Application files : /var/www/html/config.php

Reading and writing log file: /var/log/apache2/access.log

We can do log poisoning.

Check if you can combine this attack with LFI or RFI.

If there is an issue in SSH file then Check the format of the ssh file (Copy from kali terminal).

Give sufficient permission. (chmod 600 file_name)

Try encoding some part and use curl with --path-as-is

PreviousPS Reverse Shell Python base64 NextFetching SSH Private Key

Last updated 1 year ago

hashtagWay to identify:

hashtagExploiting it.

Way to identify:

Exploiting it.