Related Posts Plugin for WordPress, Blogger...

Hack a website through directory traversal attacks?

Posted by VdoCity Tuesday, September 20, 2011

What is the web server root directory?


This is a specific directory on the server where the web content are placed and can be viewed by visitors to the site. Other directories than the root can contain any sensitive information that the administrator does not want visitors to see. All accessible by visitors on a website is placed in the root directory. The visitor can not leave the root directory.

making .. / Or .. \ (Dot dot slash) means?

The .. \ Tells the system to change to a directory. For example, we are in this place C: \ xx \ yy \ zz. In writing .. \, Would lead to C: \ xx \ yy.

Once again on writing .. \, We rech in C: \ xx.

Lets go back to the location C: \ xx \ yy \ zz. Now suppose we want to access a text file placed in the folder abc.txt xx. We can write .. \ .. \ Abc.txt. Writing .. \ Twice took us up two directories (which is xx directory) where you put abc.txt.

Note: Your .. \ On Windows and .. / On UNIX operating as syatem.

What is a Directory Transversel attack?

Directory Traversal HTTP is a feat that allows attackers to access restricted directories and execute commands outside the web server root directory.

The aim of this attack is to access sensitive files placed in the web server root directory out dot dot slash.

The following example will make everything clear

Visit this web site vulnerable to directory traversal attacks

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php


This web server is running on UNIX operating system. There is no 'etc' directory on a unix / linux configration files containing the programs running on the system. Some of the files passwd, shadow, profile, sbin placed in the directory "etc".

The etc / passwd contains the login names and passwords, even too much.

We will try to access this file in the web server root directory to get out. Check carefully the position of directories placed on the web server.

We do not know the real names and contents of directories, except for 'etc' which is the default name, so I
marked as A, B, C, E, or whatever.

We are in the directory F to access web pages of the website.


Lets you enter this URL into the field and press ENTER

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd


This search for 'etc' directory in the F. But obviously, there is nothing like this in F, so it will not return anything

Now type

http://www.chitkara.edu. in / chitkara / chitkarauniversity.php? page =.. / etc / passwd

Now, this happened to a directory (directory of E) and search for 'etc', but again not return anything.

Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../ .. / Etc / passwd


Now this step two directories (in the D) and search for 'etc', but again not return anything.

So by doing so, we go to the following URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd


That takes us up to five directories in the main unit and then 'etc' directory and show us the contents of 'password'.
To understand the contents of 'password', visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format


You can also view etc / profile etc / services and many other files as backup files may contain sensitive data. Some files like etc / shadow can not be accessed, since they are only accessible by privileged users.

Note: If proc / self / environ would be accessible, you can upload a shell on the server is called as local file inclusion.


Measures against

1. Use the web server software latest
2. Effective user input filter.

0 comments

Post a Comment