Image from https://metafied.wordpress.com/2015/04/27/troubleshoot-etcpasswd-file/
Directory Traversal is a hacking method which allows the attacker to access restricted directories and files within the website and execute a command outside the web server’s root directory.
Weekends, No work, Chill Time. So, I decided to test the security of a website. I started it by using a Google Dork (Advanced Search Technique on Google)
site:.ph inurl:”Upload/download.php”
Executing the dork above on Google gives me these results:
So, I got 4 results with same URL Scheme
site.ph/Upload/download.php?b=something&d=something&t=something
I figured out that the “b” parameter is the File Name, “d” parameter is directory of the file, and “t” parameter is the MIME type of the file.
So, It quickly reminds me that this kind of URL Scheme is possibly vulnerable to Directory Traversal.
Here’s the URL I browsed to test if the site is vulnerable to Directory Traversal:
site.ph/Upload/download.php?b=Test.txt&d=../../../../../../../../../../etc/passwd&t=text/html
After browsing the URL above, something popped out and asked me to download a file and here’s the content of the file I have downloaded.
Yes, they’re vulnerable! Now, it’s time to use a tool to enumerate their directory and find some interesting files.
While the tool is enumerating directories and files, I noticed a file called connectDB.php and I know I can do directory traversal to download the file. So, here’s the payload I used:
site.ph/Upload/download.php?b=Test.txt&d=../something/something/connectDB.php&t=text/html
Yes, I have successfully download the connectDB.php file and here’s the content of the file:
<?php//$cnx_id = @mysql_pconnect(‘localhost’,’root’,’’);$cnx_id = @mysql_pconnect(‘localhost’,’admin’,’admin@abcdef');@mysql_select_db(‘redactedDB’);?>
Alright! I got their Database Details but what if there’s something more? So, I ran the tool again to enumerate more directory and files.
What? A DB(Database) Directory? Is it a login page to database or a collection of backed up databases? Let’s find out:
So, I browsed the site.ph/db/ and found theses .sql files:
Okay, I’m done.
I hope you learned something with this blog. :)
Allan Jay Dumanhug is the Founder and CEO of Secuna, a security program management service. Prior to Secuna, Allan worked as an IT Security Analyst at University of the Philippines Diliman eUP Project and former top hacker on Facebook(Q1 of 2016) and HackerOne.
Please visit https://secuna.ph/ for more info.