In the simplest terms, the path travelsal vulnerability involves gaining access to files and folders ultimately inaccessible to us. This is done by manipulating parameters, e.g. by adding "../../" as their value. This results not only in disclosure of confidential data or configuration files, but in extreme cases leads to remote code execution, as we will see later in the article.
Sites protect themselves against vulnerabilities with software such as WAF, among others. Ill-considered and poorly implemented protections can be circumvented by using the following sample payloads. The arrow indicates their representation.
-
%2e%2e%2f
–>../
-
%2e%2e/
–>../
-
..%2f
–>../
-
%2e%2e%5c
–>..\
-
%2e%2e\
–>..\
-
..%5c
–>..\
-
%252e%252e%255c
–>..\
-
..%255c
–>..\
Despite its age and relatively simple to implement protections against the path travelsal vulnerability, we can still encounter it in both older and new technologies. Here are some examples that demonstrate this.
Improper validation of passed parameters
To start with a simple example. Pentester describes a site running node.js and express in which one of the endpoints allowed all parameters entered by the user to be passed to the server-side rendered page. It used the hbs engine for this, which does not validate passed parameters, which allowed the attacker to use the optional "layout" parameter to find the path travelsal vulnerability. Details of the finding will be learned from here.
Open redirect + path travelsal = SSRF
Example in which the user initially finds an open redirect vulnerability and then a path travelsal vulnerability in one of the endpoint parameters. This ultimately results in SSRF.
Remote code execution in the kramdown library
Kramdown is a library written in Ruby designed to parse and convert text written in Markdown markup language. It is used by min: Github Pages, Jekyll and Gitlab. In article pentester describes an incorrect validation of characters accepted as arguments, which led to a path travelsal attack, which subsequently ended up allowing remote code execution.
Automation
How can finding vulnerabilities be automated? There are many possibilities. Personally, we suggest dot2moon. How to use it? Using the default dictionary provided with the tool, our command will look as follows:
python3 dot2moon.py -u https://host:port?key= -w wordlists/wl.txt
Sources
https://owasp.org/www-community/attacks/Path_Traversal
https://github.com/jcesarstef/dotdotslash
https://arjunshibu.tech/intro-to-open-source-bug-bounty/
https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/
https://ninetyn1ne.github.io/2020-10-05-open-redir-to-ato/
https://devcraft.io/2020/10/20/github-pages-multiple-rces-via-kramdown-config.html
Top comments (0)