CODEWITHSUNDEEP
linuxsecurityscriptingdirectory-traversal
HyderA
HyderA

Reputation: 21401

Using directory traversal attack to execute commands

Is there a way to execute commands using directory traversal attacks?

For instance, I access a server's etc/passwd file like this

http://server.com/..%01/..%01/..%01//etc/passwd

Is there a way to run a command instead? Like...

http://server.com/..%01/..%01/..%01//ls

..... and get an output?

To be clear here, I've found the vuln in our company's server. I'm looking to raise the risk level (or bonus points for me) by proving that it may give an attacker complete access to the system

Upvotes: 3

Views: 19459

Answers (6)

Henry
Henry

Reputation: 21

Chroot on Linux is easily breakable (unlike FreeBSD). Better solution is to switch on SELinux and run Apache in SELinux sandbox:

run_init /etc/init.d/httpd restart

Make sure you have mod_security installed and properly configured.

Upvotes: 2

user616639
user616639

Reputation: 233

If you already can view etc/passwd then the server must be poorly configured... if you really want to execute commands then you need to know the php script running in the server whether there is any system() command so that you can pass commands through the url.. eg: url?command=ls try to view the .htaccess files....it may do the trick..

Upvotes: 0

t0mm13b
t0mm13b

Reputation: 34592

Edit#2: I have edited out my comments as they were deemed sarcastic and blunt. Ok now as more information came from gAMBOOKa about this, Apache with Fedora - which you should have put into the question - I would suggest:

  • Post to Apache forum, highlighting you're running latest version of Apache and running on Fedora and submit the exploit to them.
  • Post to Fedora's forum, again, highlighting you're running the latest version of Apache and submit the exploit to them.
  • It should be noted, include the httpd.conf to both of the sites when posting to their forums.
  • To minimize access to passwd files, look into running Apache in a sandbox/chrooted environment where any other files such as passwd are not visible outside of the sandbox/chrooted environment...have you a spare box lying around to experiment with it or even better use VMWARE to simulate the identical environment you are using for the Apache/Fedora - try get it to be IDENTICAL environment, and make the httpd server run within VMWare, and remotely access the Virtual machine to check if the exploit is still visible. Then chroot/sandbox it and re-run the exploit again...
  • Document the step-by-step to reproduce it and include a recommendation until a fix is found, meanwhile if there is minimal impact to the webserver running in sandbox/chrooted environment - push them to do so...

Hope this helps, Best regards, Tom.

Upvotes: 0

mar
mar

Reputation: 366

If you are able to view /etc/passwd as a result of the document root or access to Directory not correctly configured on the server, then the presence of this vulnerability does not automatically mean you can execute commands of your choice.

On the other hand if you are able view entries from /etc/passwd as a result of the web application using user input (filename) in calls such as popen, exec, system, shell_exec, or variants without adequate sanitization, then you may be able to execute arbitrary commands.

Upvotes: 2

cherouvim
cherouvim

Reputation: 31903

Yes it is possible (the first question) if the application is really really bad (in terms of security).

http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution

Upvotes: 0

Anon.
Anon.

Reputation: 60023

Unless the web server is utterly hideously programmed by someone with no idea what they're doing, trying to access ls using that (assuming it even works) would result in you seeing the contents of the ls binary, and nothing else.

Which is probably not very useful.

Upvotes: 0

Related Questions