Path Traversal


What if we can travel everywhere in the Web Server?


Introduction - What is Path Traversal?


Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
This might include application code and data, credentials for back-end systems, also sensitive files such as /etc/passwd or /etc/shadow on the server running the Web Application.

Note that: This vulnerability only appears in filebase Programming Language such as PHP.., the routebase Programming Language such as NodeJS, ASP, Golang.. are not affected by this vulnerability.

Requirement


In order to get the best experience learning this Vulnerability, you should have basic knowledge in Linux Basic Command, in this module, you should get used to Linux Navigation Command


For more information: Navigating your filesystem in the Linux Terminal

If you have learned this vulnerability before, why not going to solve my challenges here?

Let's make an example


For the Developer's aspect - if you were an developer, in the real-world, there would be some case you have to assign a path value for something like picture or a script file.
Let me introduce you some kind of getting the path info in PHP:

  • Read and show an available file on the system:
 <?php
 $path = './image/my-document.txt';
 readfile($path);
 ?>
  • Read and execute an available php script on the server:
 <?php
 $available-php = './php-script/my-script.php';
 include($available-php);
 ?>
These above example PHP code are just only the firm code which is written by the Developer. So what if the Untrusted Data falls into the Path info?

The devil comes..


Let's take a look at the code:

 <?php
 $available-php = './php-script/my-script.php' . $_GET['user_input'];
 include($available-php);
 ?>
Note that:

  • The dot in the script is to concatenate strings by strings
As you can see, the $available-php variable is now also controlled by the users, and then it falls into the include function - which is a really dangerous function if hacked.

From now on, the attacker can controlled the Path Info using navigation in Linux and execute any PHP they want (Note that this is just the highest consequence of this vulnerability, you don't always achieve this RCE in the real-world, there are more consequences of this vulnerability).




Okay that's enough for the theory, let's experience the hacking techniques

CTFd Platform