Allan Jay Dumanhug

@ajdumanhug

The Power of Directory Traversal

Image from https://metafied.wordpress.com/2015/04/27/troubleshoot-etcpasswd-file/

Directory Traversal is a hacking method which allows the attacker to access restricted directories and files within the website and execute a command outside the web server’s root directory.

Weekends, No work, Chill Time. So, I decided to test the security of a website. I started it by using a Google Dork (Advanced Search Technique on Google)

site:.ph inurl:”Upload/download.php”

Executing the dork above on Google gives me these results:

So, I got 4 results with same URL Scheme

site.ph/Upload/download.php?b=something&d=something&t=something

I figured out that the “b” parameter is the File Name, “d” parameter is directory of the file, and “t” parameter is the MIME type of the file.

So, It quickly reminds me that this kind of URL Scheme is possibly vulnerable to Directory Traversal.

Here’s the URL I browsed to test if the site is vulnerable to Directory Traversal:

site.ph/Upload/download.php?b=Test.txt&d=../../../../../../../../../../etc/passwd&t=text/html

After browsing the URL above, something popped out and asked me to download a file and here’s the content of the file I have downloaded.

Yes, they’re vulnerable! Now, it’s time to use a tool to enumerate their directory and find some interesting files.

While the tool is enumerating directories and files, I noticed a file called connectDB.php and I know I can do directory traversal to download the file. So, here’s the payload I used:

site.ph/Upload/download.php?b=Test.txt&d=../something/something/connectDB.php&t=text/html

Yes, I have successfully download the connectDB.php file and here’s the content of the file:

<?php
//$cnx_id = @mysql_pconnect(‘localhost’,’root’,’’);
$cnx_id = @mysql_pconnect(‘localhost’,’admin’,’admin@abcdef');
@mysql_select_db(‘redactedDB’);
?>

Alright! I got their Database Details but what if there’s something more? So, I ran the tool again to enumerate more directory and files.

What? A DB(Database) Directory? Is it a login page to database or a collection of backed up databases? Let’s find out:

So, I browsed the site.ph/db/ and found theses .sql files:

Okay, I’m done.

I hope you learned something with this blog. :)

Allan Jay Dumanhug is the Founder and CEO of Secuna, a security program management service. Prior to Secuna, Allan worked as an IT Security Analyst at University of the Philippines Diliman eUP Project and former top hacker on Facebook(Q1 of 2016) and HackerOne.

Please visit https://secuna.ph/ for more info.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMI family. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!

More by Allan Jay Dumanhug

Topics of interest

More Related Stories