Hacking Tutorials

Path/Directory Transversal Attack (Explained + Filter Bypass Techniques)

Hello my fellow noob! Today we are going to learn what is Path/Directory Transversal Attack and the security risks associated with it.

Directory transversal is a an attack which can give read only access to directories and files lying on the web server to an attacker.
It may sound like LFI but its different.
You can execute files with LFI but you can’t do the same with directory transversal attack. As the name suggests, directory transversal gives access files as well as directory which isn’t possible with LFI.

Directory/Path Transversal Attack : Detection

Look at these two URLs:

example.com/load.php?file=image.jpg
example.com/admin/uploads/images/image.jpg

Which one looks like a potential target to you? First one? Good try.
Well both of them can be targeted, like this:

example.com/load.php?file=../../secret/key.txt
example.com/admin/secret/key.txt

Ummm lets try a real world example so you can understand better.
Here’s webpage which is prompting us for a download:

directory path transversal bug find dork
Its URL is:

www.example.com/files/modules/upload/download.php?id=159

Now lets remove download.php?id=159 from the URL and URL will become:

www.example.com/files/modules/upload/

Here we go!

Damn! Can you see that? We can upload files on the server right away.
Now lets shorten the URL even more,

www.example.com/files/modules/upload/

As soon as I visited this URL, I got redirected to the admin panel of this poor website.

Directory transversal is fun, isn’t it?

Many directory transversal vulnerabilities may show up like this as well:

path transversal attack method

Now lets remove /download.php from the URL

directory transversal vulnerability

We have the index of their directories and files. We can browse through the file system by using this interface.

So this is the first case! We just altered the path present in the URL and got juicy pages!
Now lets take a look at second case, a case where you have no idea about the path like LFI.

example.com/view.php?load=lion.jpg

Exploitation of this kind of URL is as same as LFI so you can refer to my in depth article about Local File Inclusion.

Here are some techniques to bypass filters that aren’t mentioned in that LFI article:

Try %2f instead of / and %5c instead of \
Try using 16-bit Unicode encoding (. = %u002e, / = % u2215, \ = % u2216)
Try double URL encoding (. = %252e, / = %252f, \ = %255c)
Try overlong UTF-8 Unicode encoding (. can be %c0%2e, %e0%40%ae, %c0ae, / can be %c0%af, %e0%80%af, %c0%2f, etc, \ can be %c0%5c, %c0%80%5c)

Lets say there’s filter which appends .jpg at the end of value in parameter.
So example.com/view.php?load=lion
will be processed as example.com/view.php?load=lion.jpg
So /etc/passwd will be processed as /etc/passwd.jpg which will result in error.
We can bypass this by injecting newline (%0a) or null byte (%00) character like this:

example.com/view.php?load=lion%0a.jpg

If the filter is removing / you can try // so the filter will be bypassed if it doesn’t check recursively. You can use \ instead of / in case of windows.
So thats pretty much all that I had in my mind.
I hope you enjoyed this tutorial.

Also Read: List of All Web Application Attacks


Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<