On Cyber War
TwitterGitHubLinkedIn
  • Welcome
  • Source Zero Con References
  • 1. Reconnaissance/ OSINT
    • Information gathering
    • OSINT tools
    • Search Engine OSINT
    • Sock puppets
  • 2. Scanning
    • Host discovery
    • Port Scanning with Nmap
    • Nmap Scripting Engine
  • 3. Enumeration
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 80/443 - HTTP(s)
    • 111 - NFS
    • 135 - RPC
    • 139/445 - NetBIOS/SMB
    • 161 (UDP) - SNMP
    • Wordpress
    • Finger (Solaris)
    • Active Directory
  • 4. Exploitation
    • Public exploits
    • Web application attacks
      • Command injection
      • Cross site scripting
      • Directory traversal
      • File inclusion
      • SQL injection
    • Password attacks
    • Buffer overflows
    • Active Directory
    • Metasploit
  • 5. Maintaining access
    • Upgrading simple shells
    • Reverse shells
    • MSFvenom
    • File transfers
    • Linux privilege escalation
    • Windows privilege escalation
    • Tunneling/Port Forwarding
  • 6. Miscellaneous
    • Connections
  • 7. Walkthroughs
    • HTB - Blunder
    • HTB - Haircut
    • THM -HackPark
Powered by GitBook
On this page
  1. 4. Exploitation
  2. Web application attacks

Directory traversal

Directory traversal allows attackers to gain access to files outside of the web root that should not be accessible through a web application. These attacks result in information disclosures and occur when attackers are able to manipulate file paths.

Detection

Directory traversal vulnerabilities are often identified through the presence of file extensions in URLs.

10.14.2.55/menu.php?file=index.php

If the user input is not validated, we may be able to modify the file path using "../" or "..\", and then attempting to access system files that should not be accessible through the web application.

Linux - /etc/passwd
Windows - c:\boot.ini
Windows - c:windows\win.ini
Windows - c:\windows\system32\drivers\etc\hosts

If input is validated, for example if dots and slashes are restricted, try URL, double URL, and Unicode encoding to bypass these filters.

URL encoding: %2e%2e%2ef%2e%2e%2e%2f%2e%2e%2fetc%2fpasswd
PreviousCross site scriptingNextFile inclusion

Last updated 2 years ago