Main » 2010 » October » 18 » Hack a website using Directory Transversal attack..
8:33 PM
Hack a website using Directory Transversal attack..
What is root directory of web
server ?
It is a specific directory on server in which the web contents are
placed and can be seen by website visitors. The directories other that
root may contain any sensitive data which administrator do not want
visitors to see. Everything accessible by visitor on a website is
placed in root directory. The visitor can not step out of root directory.
what does ../ or ..\ (dot dot slash) mean ?
The ..\ instructs the system to go one directory up. For example, we are
at this locationC:\xx\yy\zz.
On typing ..\ , we would reach at C:\xx\yy.Again on typing ..\ , we would rech at C:\xx .
Lets again go at location C:\xx\yy\zz. Now suppose we want to
access a text file abc.txt placed in folder xx. We can type
..\..\abc.txt . Typing ..\ two times would take us two directories
up (that is to directory xx) where abc.txt is placed.
Note : Its ..\ on windows and ../ on UNIX like operating system.
What is Directory Transversel attack?
Directory Traversal is an HTTP exploit which allows attackers to access
restricted directories and execute commands outside of the web server's
root directory.The goal of this attack is to access sensitive files placed on web
server by stepping out of the root directory using dot dot slash .
The following example will make clear everything.Visit this website vulnerable to directory transversal attack
This webserver is running on UNIX
like operating system. There is a directory 'etc' on unix/linux which
contains configration files of programs that run on system. Some of the
files are passwd,shadow,profile,sbin placed in 'etc' directory. The file etc/passwd contain the login names of users and even
passwords too.Lets try to access this file on webserver by stepping out of the root
directory. Carefully See the position of directories placed on the
webserver.
We do not know the actual names and contents of directories except 'etc'
which is default name , So I have
marked them as A,B,C,E or whatever. We are in directory in F accessing the webpages of website. Lets type this in URL field and press enter
Now this will step up two directories (to directory D )
and look for 'etc' but again it will return nothing. So by proceeding like this, we we go for this URL
It takes us 5 directories up to the main drive and then to 'etc'
directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit
http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format.
You can also view etc/profile ,etc/services and many others files
like backup files which may contain sensitive data. Some files like
etc/shadow may be not be accessible because they are accesible only by
privileged users.
Note- If proc/self/environ would be accessible, you might upload a
shell on server which is called as Local File Inclusion.