Comprehensive Guide on Path Traversal

In our previous post, we’ve explained the Local File Inclusion attack in detail, which you can read from here. I recommend, then, to revisit our previous article for better understanding, before going deeper with the path traversal vulnerability implemented in this section.

Today, in this article we will explore one of the most critical vulnerabilities, that arises when the developer does not validate the inclusion functions in the web-applications, which thus allows the attacker to read and access any sensitive file from the server.

Table of Content

·         Introduction

·         Basic Path Traversal

·         Blocked Traversal Sequence

·         Validated Path Traversal

·         Path Disclosure in URL

·         Null Byte Bypass

·         Windows Server Path_Traversal Exploitation

Introduction

Path Traversal sometimes also termed as “Directory Traversal” is an HTTP vulnerability which allows an attacker to trick and manipulate the web application's URL in order to access the files or directories that resides outside the application’s root folder. This vulnerability carries when a developer fails to establish or manage the input validations while including the files such as images, static texts, codes, etc. in their web applications.

However, in such attacks, the attacker manipulates the web application input fields by entering the dot-dot-slash (../) sequences or some similar variations, in order to bypass the web page and access the desired system file.

Let’s check out this scenario and learn how an attacker defaces the web-application by grabbing the server’s sensitive files.

Here, the user calls up a file - index.php through the web application's URL i.e. http://abc.com/file=index.php. Thus the application process the URL and calls up the index.php that was present locally into the server folder “RAJ” as “/var/www/html/RAJ”. 

The developer uses this “include” functionality as “file=” with a simple intention to manage the user’s selected input files, such that the application can directly call it from the local server.

Now the attacker tries to manipulate the URL using the dot-dot-slash sequence as http://abc.com/file=../../../../etc/passwd, in order to retrieve the contents of the server’s password file.

Thus again the application will process it and reads up the file at /var/www/html/RAJ /../../../../etc/passwd. Every “../” represents - back to parent directory, thus if we call up “../” for four times, it will put us in the “root” directory, from there we can simply access the password file as etc/passwd.

Let’s now try to implement this in some real scenarios and check the different attacking sequences rather than the dot-dot-slash only.

For all this, I’ll be using two different platforms The Portswigger Academy and DVWA which contains the path traversal vulnerability.

Basic Path Traversal

Login into the PortSwigger academy and drop down till Directory Traversal to get into its labs, choose the first lab as “File path traversal, simple case” and hit the “Access the lab” button.

Here you’ll now be redirected to an e-commerce website, which is having several products in its a catalogue and is suffering from path traversal vulnerability.

As to further, I’ve opened a product and checked out its the display image with a simple right-click as view image.

Now its time check what we could manipulate.

Tune in you burp suite to capture the ongoing HTTP Request and share it all with the Repeater.

As in the GET request, above in the image, you can notice that the filename=67.jpg, let's try to change this filename with

filename=../../../etc/passwd

Great!! From the below image, you can see that we’ve successfully grabbed the passwd file.

Blocked Traversal Sequence

There are situations when the developers end up the traversal process i.e. the dot-dot-slash or any subsequent sequence will not work in such case.

While getting to the second lab, I got the same issue i.e. the “../” sequence didn't work and I fail to capture the password file.

So let’s try to capture this request again in our burpsuite monitor.

From the below image, you can see that I’ve grabbed up the request with filename=66.jpg, and now will shift this all to the Repeater.

As we’re blocked with the “../” sequence. Let’s try to enter /etc/passwd without any preceding values.

Cool!! This worked, we got the passwd file with the direct call.

Validated Path Traversal

Many developers validate their web-applications, that if the “../” comes into the URL, it gets rejected out. Thus when we tried both the above procedures in our next lab, we got rejected out and didn’t get anything.

Therefore we capture the HTTP request in our burpsuite and traverse it to the Repeater.

This time we manipulate the URL filename parameter with “double dots followed by double slashes” i.e. “….//….//….//etc/passwd”

Great!! From the above image, you can see that we’ve again captured the password file with this unusual technique.

As we jumped over the 4^th lab, we got this, the developers had made a validation which blocks up the input which contains the path traversal sequence.

Therefore in order to bypass this validation, I’ve again captured the request and send it to the repeater, to make some manipulations.

From the below image, you can see that, I’ve manipulated the URL filename parameter and have successfully accessed the password file with

 filename=..%252f..%252f..%252fetc/passwd

Path Disclosure in URL

Isn’t it great if you get the number of back steps you need to perform in order to capture your desired file?

Path disclosure is that vulnerability, where the URL offers the complete path of the file it is containing, which thus allows the attacker to simply manipulate the URL and with no efforts he can access the system files.

As we moved further to lab 5, we were encountered with an application that was offering us the complete path of the file.

We simply just captured that request and send it to the repeater. From the below image, you can see that the filename parameter is having the vale as “/var/www/images/21.jpg”. Which means that the image is inside the images directory and the root directory is just 3 steps away from us.

As we are now aware of the number of back steps we need to make to get into the password file so we’ll do that as

filename-/var/www/images/../../../etc/passwd

Null Byte Bypass

Many developers add up a ‘.php’ extension into their codes at the end of the required variable before it gets included.

Therefore the webserver interprets the /etc/passwd as /etc/passwd.php, thus we could not access the file. In order to get rid of this .php we try to terminate the variable using the null byte character () that will force the php server to ignore everything after that, as soon as it is interpreted.

As soon as we share the captured request to the repeater we’ll try to eliminate this null byte character as discussed above.

So from the below image, you can see that we’ve again captured the password file by adding up () in the URL as :

filename=../../../etc/passwd.jpg

Windows Server Path_Traversal Exploitation

It’s not necessary that every time we encounter with an application which is running over a Linux server, thus there are chances that our luck didn’t work and we got stuck with a window’s server.

Let’s learn the different sequences and the method that can be used during such situations.

I’m having DVWA setup over my window’s machine. You can learn this all from here.

Now its time to boot inside the DVWA application as “admin: password” with the security level as “low”. Further, choose the vulnerability as File Inclusion from the left-hand panel.

As soon as we choose this, we’ll be redirected to the webpage which is suffering from path_traversal vulnerability.

Let’s capture this request through burpsuite and see what we can get through it.

From the above image, you can see that file.php is included in the page parameter. Let’s share this all to the repeater and will try to play with this field.

In order to call up the windows file on the web-applications screen, manipulate the page parameter with the following input.

page=C:/Windows/win.ini

From the above image, you can see that we’ve successfully called up the file in the repeater. Now forward this request and check the result over the application’s screen.

Whether the application is hosted over a linux server or a windows one, the developers always validate their web-applications, but yes these validations are somewhere common.

Let’s check out some validations implemented by the developer and try to bypass them.

Double dots with Forward-Backward Slashes

In order to keep the application secure with the path traversal attacks the developers blocks up to some sequences such as “../”, which thus gets rejects out automatically if entered in the URL.

Increase up the DVWA’s security level and set it to “medium”. Capture the request at burpsuite and send everything directly to the repeater.

Form the below image, you can see that we’ve successfully bypassed this validation by the dots followed by the forward-backwards slashes and have again grabbed the “win.ini” file by :

page=…./\..../\..../\..../\..../\Windows/win.ini

Using a similar sequence you can even capture other files present in the windows system. From the below image you can see that I’ve grabbed up a flag i.e. fi.php which resides in the hackable folder by simply manipulating up the URL parameter as :

page=…./\..../\hackable/flags/fi.php

There are many situations when such conditions didn’t work, that is the developer validates and block every possible sequence he can.

Let’s find out is there any other possible way to get the “win.ini” file without getting involved in the commonly used sequences.

Again go for the security option and hit it up with the high security in your DVWA application.

Come back to the File Inclusion section and capture the request in your burpsuite.

Share the HTTP request to the repeater tab and manipulate the URL page parameter with :

page=file://C:/Windows/win.ini

From the below image you can see that we have captured the “win.ini” file by entering the complete path to it in the URL parameter.

Let’s now try to capture the flag with the same procedure as :

 page=file://C:/xampp\htdocs\dvwa\hackable\flags\fi.php

Great!! We have grabbed this hackable flag too.

Forensic Investigation: Ghiro for Image Analysis

In this article, we will learn how we can use the Ghiro image analysis tool in forensic investigation. Ghiro is a digital image forensic tool. Which is fully automated and opensource.

Table of content

·         What is Ghiro?

·         Features of Ghiro

·         Setup the Ghiro

·         Working on case with Ghiro

What is Ghiro?

It is developed by Alessandro Tanasi Jekil and Marco Buoncristiano Burlone. It is a fully automated tool designed to run forensic analysis over a massive amount of images, just using a user-friendly and fancy web application.

To know more about the Ghiro image analysis tool you click here.

Features of Ghiro

We can control all Ghiro features via the web interface. We can upload an image or a bunch of images to get a quick and deep overview of image analysis. We can group images in cases and search for any kind of analysis data.

The main features of Ghiro.

·         Metadata Extraction: Metadata is divided into several categories depending on the standard where they are come from, Image metadata are extracted and categorized. EX- EXIF, IPTC, XMP.

·         GPS Localization: It is Embedded in the image metadata sometimes there is a geotag, a bit of GPS data providing the longitude and latitude of where the photo was taken, it is read and the position is displayed on the map.

·         MIME Information: The image MIME type detected to know the image type we are dealing with, in both contacted and extended form.

·         ELA: ELA stands for Error Level Analysis. It identifies areas within an image that are at different compression levels. The entire picture should be at roughly the same level if a difference is detected, then it likely indicates a digital modification.

·         Thumbnail Extraction: The thumbnails and data related to them are extracted from the image metadata and stored for review.

·         Thumbnail Consistency: Sometimes when a photo is edited the original image is edited but the thumbnail not difference between the thumbnails and the images are detected.

·         Signature Engine: They have over 120 signatures that provide evidence about the most critical data to highlight focal points and common exposures.

·         Hash Matching: Suppose we are searching for an image and we have only the hash value. We can provide a list of hashes and all images matching are reported.

Setup the Ghiro

Now we need to set up our Ghiro, we recommend the “OVA” version because it is the faster way to start using the Ghiro. After downloading the Ghiro, in few minutes you will have a fully functional Ghiro set up to start to analyze our images.

To download the Ghiro image analysis tool, click here.

After opening this OVA file in Virtual Box or VMWare, It will come up as a screen like this.

It is showing us the two details

IP address: 192.168.0.7

We can use this detail to trigger our software.

Default credentials to log in Ghiro are

Username: ghiro

Password: ghiromanager

Now we open that IP address in our browser, to move further in the setup process.

Straight away we focus on the login screen and fill up its credentials. After filling up the details click on the login button.

Now, we can see that we successfully set up the Ghiro, the dashboard in the home screen says that welcome to Ghiro, Which confirms that our setup is successful.

As we can see that it has we user which user: ghiro through which we log in the software. At initial point it shows zero cases and zeroes analysis left because we just set up this software.

Working with Ghiro

To start working with Ghiro for image analysis we need to click on cases. Where we can see that it is completely blank, then notice a [+] to add any case to this directory.

Now, we need to fill up the details regarding the forensic case like case name, case description, and its Investigating user.

After saving the details regarding this forensic case, It will confirm these details and ask us to add images to analysis. To add images click [+] button.

To will lead us to a window through which we can add images by clicking in the add file option. Browse the file you want to analyze. After adding those files click on the start upload button.

After uploading these files it will show us the files and their status of uploading these images. In this uploading process, Ghiro demands us to refresh this screen by clicking on the highlighted refresh button. Click on the refresh button to finishing up the upload.

We can see that the file upload process in just finished now we have two options to analyze the image. The first option is directly to click on the image name to view their details.

The second option is to click on the images tab and then click on the image we want to see their details. Both of them are kind of the same it doesn’t affect the forensic investigation process.

Click on the image we want to analyze, it will show us the basic details regarding the image in the dashboard which shows us all the analysis results like static analysis, EXIF, IPTC, XMP, Signature check, etc.

Now we clicked on the second options offer by the dashboard menu which is Signature results. Which shows us all the signature matched by severity. In case 4 are low, 3 are medium and nothing is high.

In the second tab, we see static and its first option is static info. In the static info option, we see all the basic information about the image.

We switched to the second option which is FileType. Which says it is a jpeg file standard for EXIF.

The Third option shows all the Hash values of this file within different algorithms. If we Focus hard we can see that MD5 hash values are the file name, when we clicked on the image for analysis.

The fourth option which we see is Strings. It will show us all strings behind this image file with the slight details of the metadata of this image file.

The final option offered by the static is the Hex dump. It will show us the hexadecimal value of that image file through which can get some small details about that image file.

Now switch on the third tab EXIF, which has only one option which says about EXIF the metadata. We get some of the major details for our forensic investigation.

Scroll down to get full segments of the metadata of image files that can become handy in forensic investigation. Regarding GPS, Thumbnails, and IOP.

After switching the one more we found out the thumb tab. This shows us the all details regarding the thumbnail of the image. Regarding Mime type, Extension, and Dimension.

The fifth tab of Ghiro image analysis we get ELA. Error Level Analysis (ELA) permits identifying areas within an image that are at different compression levels. With JPEG images, the entire picture should be at roughly the same level. If a section of the image is at a significantly different error level, then it likely indicates a digital modification.

If we focus hard and keep the brightness high we can see the Error image analysis of our image as well.

The final tab shows us the signature values in the image analysis. Which we already discussed above.

Overall Ghiro is the complete image analysis tool that can be quite beneficial in any Forensic Investigation.