.

exploiting vulnerable http methods and ./ directory traversal ?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Mon Nov 01, 2010 12:26 am

exploiting vulnerable http methods and ./ directory traversal ?

I have been scanning a target  aka website with some pen-testing tools
and i have found that  web-site is  using or supporting many http methods other than HTTP get and post..


Is it really vulnerable to exploitation?

if yes how to exploit these methods "properly"?

Also I want to know how I can "manually" find a site is vulnerable to ./ directory traversal attacks,I know this can be easily done with "accuentix  v6 and 7 " and some other scanners,

but i just want to know how to find those vulnerabilities manually?

Because this is my personal belief ;D(I just don't want to be dependent or limited myself to using tools)

is it possible to do?

Looking for some guidance....
<<

dante

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Wed Jul 21, 2010 10:17 pm

Post Mon Nov 01, 2010 9:44 am

Re: exploiting vulnerable http methods and ./ directory traversal ?

If its TRACE enabled, then you might want to check on Cross site Tracing
http://www.cgisecurity.com/whitehat-mir ... _ebook.pdf

If its CONNECT enabled, then you might want to check on HTTP Connect tunneling.

You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually.

If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks.

The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities.
Last edited by dante on Mon Nov 01, 2010 10:24 am, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Nov 01, 2010 11:54 am

Re: exploiting vulnerable http methods and ./ directory traversal ?

dante is right, it is quite tedious to find directory traversing manually. You have to try many combinations, like this on a Linux/Unix machine:
../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd

But it may not work (most probably it won't). You then search for /cgi-bin, /scripts, Front Page stuff, etc.

If I were you, I would use nikto and sniff all it's requests. You will have hours of pure pleasure learning about possible URI!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Nov 01, 2010 3:31 pm

Re: exploiting vulnerable http methods and ./ directory traversal ?

Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd  :)
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Tue Nov 02, 2010 3:00 am

Re: exploiting vulnerable http methods and ./ directory traversal ?

  Code:
If its TRACE enabled, then you might want to check on Cross site Tracing
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

If its CONNECT enabled, then you might want to check on HTTP Connect tunneling.

You can manually find the vulnerability if you have the source or sometimes by guessing/experience. I can give you a quick look on how its done manually.

 If you have the source, lets take php, you look for include "<filename>" where filename is obtained as input from the client usually as a get/post parameter. This is almost always the condition for directory traversal. You then replace filename with "../../../../etc/passwd" and check if its vulnerable to directory traversal attacks.

The guessing knowledge is usually obtained from experience like you get to know that sometimes people dynamically include stylesheets based on user input. But it is not possible to check all possible scenarios manually. Hence the tools. In order to obtain that kind of knowledge check the heuristics used by the tool for detecting directory traversal vulnerabilities.



yes sir,but i don't have the source code of the web-page,but I know what kind of "language",it is coded in ..

I also believe they have security mechanism like "url filtering" or "query filtering technologies",to restrict those things ,Also i am not just looking to get the "password",because most sites protect their server's password file by using "shadow gaurd",Also sir do you got any suggestions for learning these specific attacks "manually"?


  Code:
dante is right, it is quite tedious to find directory traversing manually. You have to try many combinations, like this on a Linux/Unix machine:
../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd

But it may not work (most probably it won't). You then search for /cgi-bin, /scripts, Front Page stuff, etc.

If I were you, I would use nikto and sniff all it's requests. You will have hours of pure pleasure learning about possible URI!


Looks like a good suggestion,But before using those kind of tools,i am trying to understand their working logic,because i am looking forward to improve my knowledge,Also can you tell me other than "grabbing" passwords ,what else we can do with this directory traversal?

just viewing directories?


if possible tell me sir :)


  Code:
Sometimes, .. or perhaps .. is filtered and therefore a custom "bypass" usually has to be made though if it's exploitable, then it's relatively simple. Just a heads up that not all directory traversal vulnerabilities are like ../../../etc/passwd


yes still there should be ways to bypass "query filtering",for ex if / is filtered by the target we can bypass it by including "/" like this .

Also i am looking forward to learn directory traversals other than "../../../etc/passwd " this :)


any-way thanks for answering my questions :)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 02, 2010 7:31 am

Re: exploiting vulnerable http methods and ./ directory traversal ?

I think that what MaXe is refering to is URL encoding.

So:
../../../etc/passwd
    Might look like:
..%2F..%2F..%2Fetc%2Fpasswd

Plenty of resources on the web!!


Also,
/etc/passwd contains usernames and not passwords! /etc/shadow contains the hashed passwords on Linux/Unix systems.  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Nov 02, 2010 10:01 am

Re: exploiting vulnerable http methods and ./ directory traversal ?

H1t M0nk3y wrote:I think that what MaXe is refering to is URL encoding.

So:
../../../etc/passwd
     Might look like:
..%2F..%2F..%2Fetc%2Fpasswd

Plenty of resources on the web!!


Also,
/etc/passwd contains usernames and not passwords! /etc/shadow contains the hashed passwords on Linux/Unix systems.  ;)


Partly yes, but take a look at Exploit-DB and my youtube channel (maxel3g3nd) this or next week, there's going to be something about this  :)

But ontopic, URL encoding can be useful in some directory traversal scenarios but in some cases you need to bypass it, all depending on how the target application code is written  ;)

Thanks for clarifying most of what I meant and as you mentioned, there's plenty of resources :-)
I'm an InterN0T'er
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Nov 02, 2010 12:07 pm

Re: exploiting vulnerable http methods and ./ directory traversal ?

Thanks MaXe, I just subscribed to your YouTube Channel.

I am looking forward to your demo...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Nov 02, 2010 2:28 pm

Re: exploiting vulnerable http methods and ./ directory traversal ?

H1t M0nk3y wrote:Thanks MaXe, I just subscribed to your YouTube Channel.

I am looking forward to your demo...


Awesome!  ;D You'll like it, after all it's free and realistic  :)
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software