Directory Traversal

This is a very important vulnerability to look for in a web application.

The initial step is to look for any page that loads a local file from the web application. Then try to play around with the file path to see if any other file can be fetched from the server. If you have already gathered enough info from enumeration to identify the operating system, then the search can be made more specific to important files within that operating sytem.

An example,

http://192.168.1.5/pricelist.php?file=c:\windows\system32\drivers\etc\hosts

The file path can further manipulated by including "../" or "..\".

Dotdotpwn

Dotdotpwn is a tool for testing whether a web application is susceptible to directory traversal attacks. The tool can be run with the following command,

/dotdotpwn.pl -m http -h 10.11.1.10 -M GET -o windows -d 10

m - Denotes the protocol

h - The host IP address to be tested

M - The HTTP method to be used

o - The operating system, if known. This reduces the testing time as it completely eliminates the necessity to test other operating systems

d - The depth of the directory traversal to be tested. This is one of the most important parameters that has to be set. The default is 6. Depending on the Operating System and Web server this can change.