|
Title: exploiting vulnerable http methods and ./ directory traversal ? Post by: manoj9372 on November 01, 2010, 12:26:56 AM I have been scanning a target aka website with some pen-testing tools
and i have found that web-site is using or supporting many http methods other than HTTP get and post.. Is it really vulnerable to exploitation? if yes how to exploit these methods "properly"? Also I want to know how I can "manually" find a site is vulnerable to ./ directory traversal attacks,I know this can be easily done with "accuentix v6 and 7 " and some other scanners, but i just want to know how to find those vulnerabilities manually? Because this is my personal belief ;D(I just don't want to be dependent or limited myself to using tools) is it possible to do? Looking for some guidance.... Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: dante on November 01, 2010, 09:44:36 AM If its TRACE enabled, then you might want to check on Cross site Tracing
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf If its CONNECT enabled, then you might want to check on HTTP Connect tunneling. You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually. If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks. The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities. Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: H1t M0nk3y on November 01, 2010, 11:54:19 AM dante is right, it is quite tedious to find directory traversing manually. You have to try many combinations, like this on a Linux/Unix machine:
../etc/passwd ../../etc/passwd ../../../etc/passwd ../../../../etc/passwd ../../../../../etc/passwd ../../../../../../etc/passwd But it may not work (most probably it won't). You then search for /cgi-bin, /scripts, Front Page stuff, etc. If I were you, I would use nikto and sniff all it's requests. You will have hours of pure pleasure learning about possible URI! ;) Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: MaXe on November 01, 2010, 03:31:10 PM Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd :)
Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: manoj9372 on November 02, 2010, 03:00:49 AM Code: If its TRACE enabled, then you might want to check on Cross site Tracing http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf If its CONNECT enabled, then you might want to check on HTTP Connect tunneling. You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually. If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks. The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities. yes sir,but i don't have the source code of the web-page,but I know what kind of "language",it is coded in .. I also believe they have security mechanism like "url filtering" or "query filtering technologies",to restrict those things ,Also i am not just looking to get the "password",because most sites protect their server's password file by using "shadow gaurd",Also sir do you got any suggestions for learning these specific attacks "manually"? Code: dante is right, it is quite tedious to find directory traversing manually. You have to try many combinations, like this on a Linux/Unix machine: ../etc/passwd ../../etc/passwd ../../../etc/passwd ../../../../etc/passwd ../../../../../etc/passwd ../../../../../../etc/passwd But it may not work (most probably it won't). You then search for /cgi-bin, /scripts, Front Page stuff, etc. If I were you, I would use nikto and sniff all it's requests. You will have hours of pure pleasure learning about possible URI! Looks like a good suggestion,But before using those kind of tools,i am trying to understand their working logic,because i am looking forward to improve my knowledge,Also can you tell me other than "grabbing" passwords ,what else we can do with this directory traversal? just viewing directories? if possible tell me sir :) Code: Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd yes still there should be ways to bypass "query filtering",for ex if / is filtered by the target we can bypass it by including "/" like this . Also i am looking forward to learn directory traversals other than "../../../etc/passwd " this :) any-way thanks for answering my questions :) Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: H1t M0nk3y on November 02, 2010, 07:31:59 AM I think that what MaXe is refering to is URL encoding.
So: ../../../etc/passwd Might look like: ..%2F..%2F..%2Fetc%2Fpasswd Plenty of resources on the web!! Also, /etc/passwd contains usernames and not passwords! /etc/shadow contains the hashed passwords on Linux/Unix systems. ;) Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: MaXe on November 02, 2010, 10:01:03 AM I think that what MaXe is refering to is URL encoding. So: ../../../etc/passwd Might look like: ..%2F..%2F..%2Fetc%2Fpasswd Plenty of resources on the web!! Also, /etc/passwd contains usernames and not passwords! /etc/shadow contains the hashed passwords on Linux/Unix systems. ;) Partly yes, but take a look at Exploit-DB and my youtube channel (maxel3g3nd) this or next week, there's going to be something about this :) But ontopic, URL encoding can be useful in some directory traversal scenarios but in some cases you need to bypass it, all depending on how the target application code is written ;) Thanks for clarifying most of what I meant and as you mentioned, there's plenty of resources :-) Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: H1t M0nk3y on November 02, 2010, 12:07:21 PM Thanks MaXe, I just subscribed to your YouTube Channel.
I am looking forward to your demo... Title: Re: exploiting vulnerable http methods and ./ directory traversal ? Post by: MaXe on November 02, 2010, 02:28:21 PM Thanks MaXe, I just subscribed to your YouTube Channel. I am looking forward to your demo... Awesome! ;D You'll like it, after all it's free and realistic :)
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |