Sign in to follow this  
Followers 0
m0untainrebel

help with directory traversal attack

9 posts in this topic

i found a php script that looks a little like this:

dnl.php:
$url=$_GET['file'];
$url=str_replace("/","",$url);
echo hexcode(file_get_contents($url));

hexcode() is defined somewhere else, and it basically just reads a file, converts it to hex, and displays it to the page. so i can use this to figure out the contents of every file in the current directory. so i can go to dnl.php?file=whateveriwant.php to get the contents of it in hex, convert it back to ascii, and see what it does. the second line cuts out slashes, so if i go to dnl.php?file=../../whatever it turns $url into "....whatever", or dnl.php?file=/etc/password makes $url "etcpasswd", which are both invalid filenames.

i've tried putting the hex character for slashes in the url (dnl.php?file=%2Fetc%2Fpasswd), but that still creates the slash character, which still get stripped. i even tried using php's string processing to get it to work, with a url something like this: dnl.php?file={$_GET}&url=/etc/passwd with the idea that $url would be stripped of slashes (and there are no slashes in "{$_GET}") and instead pull up the value of $_GET['url'], /etc/passwd. didn't work.

this small script is so small and simple, there's got to be some way for directory traversal to work. any ideas?

0

Share this post


Link to post
Share on other sites

$url=str_replace("/","",$url);

That line strips out the slashes.

Remove that line from the code and it should work.

Edited by Lugner
0

Share this post


Link to post
Share on other sites

I made a dnl.php (with your code provided, minus the hexcode() function) on my windows XP machine running Apache/2.2.4 (Win32) PHP/5.2.1.

When i tried http://localhost/tst/dnl.php?file=../ex.txt it gave the error

Warning: file_get_contents(..ex.txt) [function.file-get-contents]: failed to open stream: No such file or directory in X:\www\tst\dnl.php on line 4

But when I tried http://localhost/tst/dnl.php?file=..\ex.txt I got the contents of the file.

So maybe you could try file=..\whatever.ext

0

Share this post


Link to post
Share on other sites
I made a dnl.php (with your code provided, minus the hexcode() function) on my windows XP machine running Apache/2.2.4 (Win32) PHP/5.2.1.

When i tried http://localhost/tst/dnl.php?file=../ex.txt it gave the error

Warning: file_get_contents(..ex.txt) [function.file-get-contents]: failed to open stream: No such file or directory in X:\www\tst\dnl.php on line 4

But when I tried http://localhost/tst/dnl.php?file=..\ex.txt I got the contents of the file.

So maybe you could try file=..\whatever.ext

Whereas that only works on Windows boxes I guess?!

0

Share this post


Link to post
Share on other sites
Whereas that only works on Windows boxes I guess?!

When I tried it on Apache/1.3.33 (Unix) PHP/4.3.11 I got the error message:

Warning: file_get_contents(..\test.txt): failed to open stream: No such file or directory in /home/xxxx/domains/xxx.nl/public_html/test/dnl.php on line 4

the file text.txt was there so it seems it doesn't work on linux.

0

Share this post


Link to post
Share on other sites
$url=str_replace("/","",$url);

That line strips out the slashes.

Remove that line from the code and it should work.

lugner, i don't have access to files on the server. i need to be able to figure out how to exploit this script without changing any of the files.

and yeah, i actually tried using a backslash, and it didn't work. the server i'm working is a LAMP setup. interestingly enough, it seems that this server just tries to escape my backslash, so if i try looking at ..\file.php, it actually tries ..\\file.php, and says that file doesn't exist.

0

Share this post


Link to post
Share on other sites

You can always try percent encoding (%2e%2e%2f = ../) but it's not working on the tests I've tried.

Disabling 'magic quotes' in the php conf seems to be your big issue, and as you don't have write access to the server or script, and are without the ability to set global variables - that script is secure from where I am standing, at least on a LAMP install with the default character encoding set.

0

Share this post


Link to post
Share on other sites

Have you tried non-minimal encodings?

www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Stender.pdf

0

Share this post


Link to post
Share on other sites
interestingly enough, it seems that this server just tries to escape my backslash, so if i try looking at ..\file.php, it actually tries ..\\file.php

magic_quotes_gpc = On

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0