قالب وردپرس درنا توس
Home / Tips and Tricks / How to use security issues in directory crossing in code execution «Zero byte :: WonderHowTo

How to use security issues in directory crossing in code execution «Zero byte :: WonderHowTo



Directory traversal, or path, is an HTTP attack that allows attackers to access restricted directories using the ../ characters to backtrack to files or directories outside the root directory. If a web app is vulnerable to this, an attacker may be able to access limited files containing information about all registered users on the system, their permissions, and encrypted passwords.

Depending on the user's web applications, users, for example, read and write, allow an attacker to utilize a directory path not only to read sensitive files but also to replace system files with their own.

As an example, we can see if it is vulnerable to a web app that lets users download files. wall penetration with point-point slash (../), which is the GNU-Linux / Unix way to escape from the current directory back to the parent directory. We navigate away from the app's root directory, usually named / app, back to directories closer to the system files, such as /etc/passwd.

When browsing a web application and the URL reads: [1

9659005] http: // shopping site .com / get-files.php? file = clothing

You can search for an intangible vulnerability by using ../ to try to fly to a system critical directory:

  http: //shopping-site.com/ goat files? file = .. / .. / .. / .. / etc / passwd 

While the attack seems simple, it still affects apps and devices to this day. Recently, ForeScout's security research team, a cyber security company, showed devices used in BAS networks, which are used to control energy-intensive equipment such as HVAC and building lighting controls. A vulnerability in the road was one of the many vulnerabilities they found in the devices.

In this guide, we stumble upon a groundbreaking vulnerability on the Google Gruyere vulnerable web app for a code execution vulnerability. The tool we use is Burp Suite Community Edition. Burp is an interception proxy that acts as a man-in-the-center by capturing each query to and from the target web so that the pentester can edit, read, and play individual HTTP requests to search for vulnerabilities and injection points.

Step 1: Visit Google Gruyere in Your Browser

Before we start configuring the proxy settings, setting up Burp Suite and starting up Gruyere, let's first open your browser to Gruyere's homepage. Do not click on anything yet, we will agree and start in a future step.

Step 2: Configure your Burp Suite browser

If you do not have Burp Suite on your computer, you can download and install it on MacOS, Linux and Windows. On Kali Linux, the community version is already installed. Then you need to download Burp's CA certificate and then configure your browser to control traffic to Burps proxy. PortSwigger, the company behind the Burp Suite, has an excellent guide to creating the CA certificate that you can follow.

If you want to configure your browser to control traffic so that Burp can interrupt HTTP and HTTPS requests from a web app, you need to set up a manual proxy configuration in your browser. The settings can usually be found in "Proxy" or "Network Proxy." Set HTTP Proxy to be 127.0.0.1 on port 8080, which is the default Burp uses when it is started.

How to look in Firefox.

Step 3: Enable Burp to Capture Web Request

Leave your browser open for the web app you are testing, in this case, the Google Gruyere homepage and launch Burp Suite. Create a temporary project (this will always be the case because all other options are reserved for Burp Suite Pro) and then select "Use Burp Defaults" which continues to run Burp with the default proxy settings for 127.0.0.1:8080.[19659020] How to use a security risk for directory crossing in code execution "width =" 480 "height =" 480 "style =" max-width: 532px; height: auto; "/>

Step 4: Accept and start your Gruyere session

Now is the time to go back to Gruyer's home page, which we opened in step 1 to approve the conditions. Click "Agree & Start." Nothing will happen. By default, when Burp starts, "Intercept is "enabled on the" Proxy "tab. This means that your web app will" hang "in the browser as if it is being loaded because it is waiting for Burp to either forward, release or take action on request.

Step 5: Start mapping the web app using Burp's spindle tool [19659011] We use Burp & # 39; s Spider to map the content of the web application.When we navigate the web – follow links, submit forms and create an account – the spider saves all the content of the web application and navigation paths in Burp forCreating a Web Sitemap The browser tab should still be hung and waiting for your action in Burp. Select the "Proxy" tab and you will notice that the GET request to the Gruyer website has been "captured". Right-click on the GET request and click "Send to Spindle".

Then you will be asked whether you want to add the item or not spitting scope. Select "Yes" to add the web app's host to the target area so that Burp knows which apps link to begin analyzing for content.

Then select "No" when prompted with Proxy history logging query. This ensures that you have a wide range, which makes it easier to find more goals. Sending external objects can lead to discovering portals to other portals where part of the web app is registered, such as a market portal, admin portal and so on.

Now on the "Proxy" tab, click "Intercept is on" to disable it (we no longer need it), and the Gruyere page should finally be loaded into the browser.

The spider begins to request a web page that analyzes the links for content, requests links and continues to repeat this process recursively for every link available on the web. A side map will be created and available in the Burp's "Target" tab.

The spider will also prompt you with form logins to continue recursively mapping the content. Reject these issues in Burp Suite. Instead, we create a user directly in the browser and then log in using it from there to get a better picture of the functions that are available on the user's website.

Step 6: Discover features in web app [19659011] While the spider is running actively, you discover content and analyze every page you visit, it's time to explore what features a user has access to in the web app. To do so, you must first create an account, then click "Register" and create an account. The goal is to manually explore the web app as a regular user, while in the background you run Burp & # 39; s Spider to collect all the paths you visit.

When you have a user account and have logged in, you will be greeted by a user interface with a navigation bar to do things such as creating excerpts, showing snippets and uploading files. In this tutorial, we focus on the browser's "Upload" functionality, as this is a place where we can find a stretchable vulnerability used for code execution.

Click "Upload" and then upload a file you want the program in. In my case, I upload a JPG image of a cat. Gruyere makes this file available on the path that follows this basic naming convention:

  site.com/username/file 

You can see the link to your uploaded file next to "File available on."

Copy and paste the file link in the browser browser. This is when you can start crushing it to check if there is a vulnerability on the road. Type ../ secretfile according to the file's URL, as shown below. If the URL does not end in a / (slash), add it before ../secretfile .

  https://google-gruyere.appspot.com/611736743737267028246619854335969477478 /test/cat.jpg/../secretfile

After beating Enter an error should be displayed because the secret file is not can be found in the current directory, now, try to backtrack to the parent directory of the App with site.com/username/secretfile .

This discloses that the application omits ../ the characters to execute and cross directories. On some web apps, when you enter ../ characters, the app will scrub the characters, which does not allow anyone to backtrack in parenting directories.

Using File Path Uploads

Uploads content available via username / file and allows users to cross the directory using ../ characters making the perfect candidate a road vulnerability.

Because the web app executes the execution function so that users can fly back into parent directories – a path that goes into the file upload function – it is possible that an attacker can replace a file that is important to the web application infrastructure with its own.

Depending on the uploaded file, a path transfer may become a code run. To know what type of file to upload to trigger code execution, let's check back with the spider to see how it is mapped to the web.

Step 8: Analyze the source code in important files

Return to Burp and check the "Page Map" tab in the "Target" section. The spider should have analyzed a lot of paths that you manually navigated on the web. A very interesting "code" directory will be there, with a file named "gruyere.py", as well as many other Python and GTL files, as shown on the screenshot below.

Note in the "Resources" directory how little of the GTL files are also named after functionality seen in the user navigation field once logged into Gruyere as a user. So these files "login.gtl", "newsnippet.gtl" and "upload.gtl" are not random files – they are the files with the code that allow users to log in, create snippets and upload files in Google Gruyere ,

Reading through the Python file "gruyere.py", as shown in the picture below, notices that there is logic built into the program to restart the server in a while loop . Simultaneous loop will be repeated to handle queries until the quit_server state is true, which is fulfilled when the user navigates to /quitserver.

Another interesting Python file is discovered is "gtl.py." Reading through their code, it seems as if the Python file is building the GTL templating language for the files that use the .gtl extension. This can be found by reading the beginning of the multiline comment that begins with triple quotes ("" ") in Python reading: Gruyere Template Language part of Gruyere, a web application with holes.

With the files just discovered, it is Gruyere a web app that uses a templating language called GTL. The templating language is built by the Python file called "gtl.py" for all logic on the files ending in .gtl.

Think of an attacker, if we could replace the "gtl.py" file with ourselves, we can rewrite the site's infrastructure and thus have the application. discovered that the file upload function is vulnerable to a road-crossing attack. So if we wanted to replace the file "gtl.py" we could use the file upload function by creating our own "gtl.py" file and naming it ../ gtp.py .

Note to create f iles and naming them with characters like ../ will throw a bug on both Windows and MacOS. This can be bypassed by creating a user named .. (dot point) on Gruyere. Then, from the account of .. users, upload our own "gtl.py" and restart the web application by navigating to / quitserver in the URL field. If you remember we discovered / quitserver when Spider found the "gruyere.py" file.

Since Gruyere is a deliberately vulnerable web application, the server-owned warning is "Gruyere System Alert" to appear and say the server is restarting and has been "0wnd."

Real-world code execution will be much worse

A true scenario of successful code execution would lead to much more damage. For example, the latest news on remote code execution in the package manager used to update and install tools used by Debian, Ubuntu and other popular GNU Linux distributions.

The RCE attack was discovered in January 2019 allowing opponents to issue man-in-center attacks and execute arbitrary code as root users (which is the user with the highest privileges in GNU Linux) on any machine. Having a random attacker that can access your computer as root users would cause chaos because they can install any file on the system.

Prevent this from happening

The way to prevent a wall cover risk in a file upload is to manage the vulnerable path, then the unlimited file upload.

For example, to prevent a web transfer, a web app should avoid reading files dynamically based on user input. Secondly, to prevent a malicious file upload, you get a strict whitelist of the type of content, file types, and names to upload.

Gruyere allowed users to upload a file with the .py extension for a Python file. A whitelist that prevents Python, JavaScript and PHP file names from being uploaded, and controls double-file filenames, if an attacker uses an extension.png.jpg, it can be harder for an attacker to upload arbitrary code files to the server .

Cover Image, Screenshots and GIFs by Ginsa0x8 / Zero Byte

Source link