Hacker, Researcher and Author.

Hack a website using Directory Transversal attack?

What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing ..\ , we would rech at C:\xx

Lets again go at location C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.

Note : Its ..\ on windows and ../ on UNIX like operating syatem.

What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.

The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.

We do not know the actual names and contents of directories except 'etc' which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing

Now type
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd
Now this will step up one directory (to directory E ) and look for 'etc' but again it will return nothing.

Now type 

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd
Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL
http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to 'etc' directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format


You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.

Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.

Counter Measures

1. Use the latest web server software
2. Effectively filter the user's input

30 comments:

  1. awesome bro .really nice one

    ReplyDelete
  2. no words. excellent job ,, rafay and aneesh :)

    ReplyDelete
  3. @aneesh
    i already knew this attack. I hav found a website in which passwords are placed in etc/passwd but they are encrypted. what now ??

    shubham

    ReplyDelete
  4. hey shubham , You can use this tool 'John the ripper' to crack encrypted passwords. hopefully ,It will crack if the passwords would not be strong enough. :)

    ReplyDelete
  5. Thanks for the Info..

    ReplyDelete
  6. A good post to read! But U need to add videos and better pictures to articles like this one

    ReplyDelete
  7. why you use chitkara university website...... ??????
    you are from chitkara.....

    ReplyDelete
  8. @Anonymous
    This is just to inform the concerned authorities to fix it, I have mailed them also informing them about this bug

    Shaiq Uddin
    Yes I am looking forward for making video tutorials

    ReplyDelete
  9. @Anonymous
    I just needed a vulnerable site to make the things clear to you all and found this one. No, i am not from chitkara.

    @Shaiq Uddin
    Thanks friend

    ReplyDelete
  10. hey i need a facebook password i think wife is cheating, can you help?

    bonjour2504@hotmail.co.uk

    ReplyDelete
  11. @shaik.......bro can tell how to check the site for vulnerability...

    ReplyDelete
  12. excellent & very educational post,phenomenal post

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. How to find sites vulnerable to this attack.
    Is there a way?

    ReplyDelete
  15. HeLlo Dear Raafay@@
    Hacking Is My Craz...and I am curruntly working on Website Hacking...
    Would You Please Like to Send Me All Notes about Hacking Website..if that is Mysql Injection,John the Ripper or Any thinG....on
    Abdullahchd.azam@gmail.com
    I am Waitning I want to learn it All for Education Purpose...Web books sucks they are too lenghtY..hope u will send it to me ,I am wa8ing Bro

    ReplyDelete
  16. that's awesome man

    ReplyDelete
  17. salam dear
    how r u? nice to see u.
    dear contact me on my id worldshacker@yahoo.com from your own id.
    i have something interesting for u......a surprize.
    w8ng 4 ur reply.
    poizn_x

    ReplyDelete
  18. abdulrafay_789@hotmail.com
    i think thats ur id, is it???
    reply
    w8ng 4 ur reply
    regards
    poizn_x

    ReplyDelete
  19. hi, hello, am new to this hacking stuffs, but i do have the basic knowledge in some programming language, could someone please guide me in the right direction and if possible send me some materials related to hacking to my mail id sundardbm@yahoo.com

    ReplyDelete
  20. for proc/self/environ, heres a live example :)
    http://themewp.com/page/2/?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../proc/self/environ

    Greetings from the Underground World

    ReplyDelete
  21. Sir,
    am new to this type please send me some notes on website hacking...A-Z
    thank you
    ma email id is ravindersandhu89@yahoo.com
    sir..ur notes r really interesting...thanks a lot

    ReplyDelete
  22. http://www.must.edu can u do this with this website well i want to get time table of my college m8 i need help email me plz dream_land_2@hotmail.com

    ReplyDelete
  23. just trying to be an angelbit or byte of an angel !!!

    M. Meek :)

    ReplyDelete
  24. above expamle link of chitkara university doesnt work...plz give some other running examples.

    ReplyDelete
  25. hacking a website means taking control over that site .

    ReplyDelete
  26. @Mostafa:
    Well that specific website must be VULERABLE to DTA for you to get your timetable bro.

    ReplyDelete
  27. @Anonymous 27:
    No bro, I'm afraid you are slightly wrong in this case.
    Hacking Infact just means Gaining Acess to what you are not supposed to.
    Getting Control of the site is called "Domain Hijacking"

    www.hackingmyworld.com

    ReplyDelete
  28. Watta bout diz:
    Fatal error: Call to undefined function isCurrentUser() in /home/staff/public_html/articles_center.php on line 130 saw it on a vulnarable site at this url : http://staff.domain.com/articles_center.php . how can I browse this directory? Thanx in advanced!

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.