.png)
1 year ago
51 BOOK THIS SPACE FOR AD
ARTICLE AD
In the simplest terms, the path travelsal vulnerability involves gaining access to files and folders ultimately inaccessible to us. This is done by manipulating parameters, e.g. by adding “../../” as their value. This results not only in disclosure of confidential data or configuration files, but in extreme cases leads to remote code execution, as we will see later in the article.
Sites protect themselves against vulnerabilities with software such as WAF, among others. Ill-considered and poorly implemented protections can be circumvented by using the following sample payloads. The arrow indicates their representation.
%2e%2e%2f –> ../%2e%2e/ –> ../..%2f –> ../%2e%2e%5c –> ..\%2e%2e\ –> ..\..%5c –> ..\%252e%252e%255c –> ..\..%255c –>..\Despite its age and relatively simple to implement protections against the path travelsal vulnerability, we can still encounter it in both older and new technologies. Here are some examples that demonstrate this.
To start with a simple [example](https://arjunshibu.tech/intro-to-open-source-bug-bounty/). Pentester describes a site running node and express in which one of the endpoints allowed all parameters entered by the user to be passed to the server-side rendered page. It used the hbs engine for this, which does not validate passed parameters, which allowed the attacker to use the optional “layout” parameter to find the path travelsal vulnerability. Details of the finding: https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/.
[Example](https://ninetyn1ne.github.io/2020-10-05-open-redir-to-ato/) in which the user initially finds an open redirect vulnerability and then a path travelsal vulnerability in one of the endpoint parameters. This ultimately results in SSRF.
Kramdown is a library written in Ruby designed to parse and convert text written in Markdown markup language. It is used by among others: Github Pages, Jekyll and Gitlab. In [article](https://devcraft.io/2020/10/20/github-pages-multiple-rces-via-kramdown-config.html) pentester describes an incorrect validation of characters accepted as arguments, which led to a path travelsal attack, which subsequently ended up allowing remote code execution.
How can finding vulnerabilities be automated? There are many possibilities. Personally, I suggest [dot2moon](https://github.com/fnk0c/dot2moon). How to use it? Using the default dictionary provided with the tool, our command will look as follows:
python3 dot2moon.py -u https://host:port?key= -w wordlists/wl.txthttps://owasp.org/www-community/attacks/Path_Traversal
https://github.com/jcesarstef/dotdotslash
https://arjunshibu.tech/intro-to-open-source-bug-bounty/
https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/
https://ninetyn1ne.github.io/2020-10-05-open-redir-to-ato/
https://devcraft.io/2020/10/20/github-pages-multiple-rces-via-kramdown-config.html
Bengali (Bangladesh) · 
English (United States) ·