Continuing with the series of web for pentesters 1 walk-through, this post will focus on directory traversal and file include exercises in the ISO. Let’s start off with what these attacks are and how they can be prevented. First off what is a directory traversal attack? In basic terms, this attack allows someone to view files outside of the web application directory, i.e view the shadow file of the web server. You can prevent this by validating user input and URL’s returned to the server ( more info here).
File inclusion is uploading a file to the server, in a file type that wasn’t intended, like uploading a bash script disguised as a text file. This type of exploit can lead to attacks like cross-site scripting (more info here). You can prevent this by validating the files uploaded by the user (running theme with a lot of exploits).
As per usual, pentesterlabs has a very good explanation of theses exploits in the course section for this ISO. So with out further delay, here are some sample answers:
wget -0 – ‘http://<vmip>/dirtrav/example1.php?file=../../../../../../../etc/passwd’ > e1.txt
outputs the contents into file e1.txt
You could also put the link directly into the browser and have it display the passwd file.
example2.php?file=/var/www/file/../../../etc/passwd’ > e2.txt
outputs the contents into file e2.txt
Use this link from pentesterslab to test for file inclusion
This will display the php info page.
Append a URL encoded null byte to the end of the string and it will display the php info page.