Directory Traversal Vulnerabilities


The course is part of this learning path

Start course

In this course, you will learn how you can view unauthorized files and folders using a technique known as directory traversal and learn how to automize the process with a tool called dotdotpwn.


Hi, within this lecture, we're actually going to practice the directory traversal to reach the files and folders that are hidden in the web server. Not exactly hidden, but it's not supposed to be shown to the visitors of this website, right? So, here we go. We have the message.txt and we don't even know where is to reside it. So, we don't even know where they located this message.txt in the web server, right? So, we're going to try and see. For example, if I write something like this, .. or only one single dot as you can see, it doesn't show us. It it says that this file doesn't exist. So, you cannot just write some random thing over here. You have to give some parameters to make it like a valid file or valid folder. So, we are inside of the file section right now. So, we're going to focus on the files and then we can just go on and show the folder system as well. So, this file doesn't exist. So, what do we do? We try to see the etc/passwd or any other file by trying to find the location and we're going to try our way into it. So, in order to do that, we can just come back to URL and we can just try adding dot, dots and slashes like you can just try this as well, but there is no test at the extent. It definitely doesn't show if you cannot find a valid file. So, if you do something like this ../../, it means that go back two folders and you're going to find some file in that folder and it will show you the content of it. Like that, okay? So, we have done cd.. in our Kali Linux. So, I'm doing exactly the same thing in here. Like, I have done ../../../.. and then I could have said like etc/passwd or anything else as well. So, let me try and see if this works. Now as you can see there are ../../../.. right now and I'm going to hit 'Enter' and here we go. Now we see the etc/passwd. How did I know there is, like we have to put ../../../.., I didn't know, I just guessed it or I just assumed it. So, I could have tried like ../../.. Maybe it will work as well, maybe it can just work like this. But as you can see, it doesn't work. Maybe If I put just some slash. it works here as well. So, it's very vulnerable. But in a real directory traversal example, you should have put these .. over there as well, okay? So, if I go to medium for example, okay? And if I come over here to page parameter one more time, if I write etc/passwd, let me see. Yeah, it still shows. So, it's a little bit vulnerable, I believe, in the directory traversal thing, but you understood how it works. So, all you have to do if you're suspicious about the directory traversal, now you're going to have to do this. it actually detects the directory traversal when you do medium security, okay? But it still shows if you find the correct amount of .., I believe. So, if we don't give any .. and slashes, it will show the content of the etc/passwd which it doesn't make sense, but this is the way they configured it. And if we put something, it will just detect the directory traversal in this case. So, here we go. But in real life examples, you're going to have to try and see if you can see the etc/passwd with only one ../, two ../, three ../ and so on. So, it will take a lot of effort to do this, right? And by the way, I'm doing all of this stuff with etc/passwd but maybe you won't have the permission to read the etc/passwd but you will have permission to read something else. So, you're going to have to try with other files and folders as well. So, we're going to see how to do this quick and dirty and actually very easy way in the next lecture but right now, I just want to show you some other details of this as well. We're going to make it automized in the next lecture. So, here we are actually trying to see the files, right? For example, in the tutorials in the Internet, you can see something like this, proc/self/environ, okay? So, if you can reach that file, you can see that it can give you some reverse shell and by changing some configuration, but it really doesn't work in real life because you need root access for that and most of the time websites do not run on root on default. So, if I come over here, okay? If I just go over there in my own Kali Linux, I can reach that. Okay, I can just go to proc/self and I can see the environ file over here. I can just cut that and you can see the configurations over here. So, it's a little bit confidential file but you need to be root in order to reach that, so I'm not going into that in this class because it won't be usable or it won't be repeatable in real life examples, okay? So, if you see something like that in tutorials, if you're thinking that why we didn't cover this proc/self/environ thing in this course, that's why. It's not applicable. So, other than that we have actually covered what we need to cover in the directory traversal files thing, maybe we can take a look at the folders as well. So, rather than seeing the files, we can see the folders over here, okay? And it's basically the same thing but more importantly, we need to find a way to make this a little bit more automized because if you want to find these vulnerabilities, then you're going to have to spend so much time and you will get tired and you will think that, it doesn't even work. Maybe it works, maybe you don't know, maybe you have to try something like this in order to make it work. Okay, maybe two ../, three ../. So, let's stop here and do this in the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.