🖥️
Offensive security concepts
  • Introduction
  • 💿Virtualbox network setup
    • What is VirtualBox?
    • NAT
    • NAT network
    • Bridged adapter
    • Internal network
    • pfSense
    • vboxmanage
    • Overview
  • 🕵️OSINT
    • What is OSINT?
    • Google dorks
    • Metadata
    • Social media
      • osintagram
  • Tools
    • waybackurls
    • recon-ng
    • sherlock
    • maltego
    • theHarvester
    • photon
  • 😨Social Engineering
    • What is social engineering?
    • 7 tricks of social engineering
    • Email phishing
    • Typosquatting
    • Compiled resources
  • 😈MitM attack
    • What is MitM attack?
    • ARP spoof/poison
    • DNS spoof/poison
    • HTTP MitM attack
    • ICMP redirect attack
    • DHCP spoofing
    • Evil twin attack
    • Experiment (guest network)
    • Compiled resources
  • 🔌UPnP exploitation
    • What is UPnP?
    • What is SSDP?
    • IGD functions
    • LAN devices
    • Compiled resources
  • Network Reconnaissance & Attacks
    • What is network hacking?
  • 1️⃣Network live host discovery
    • What is network live host discovery?
    • nmap
    • arp-scan
    • masscan
  • 2️⃣Network port scan/services enumeration
    • What is network port scan/services enumeration?
    • nmap
    • netcat
  • 3️⃣Network services vulnerability scanning & exploitation
    • What is network vulnerability scanning/exploitation?
    • 20/21 ~ FTP
    • 22 ~ SSH
    • 25 ~ SMTP
    • 53 ~ DNS
    • 80/443 ~ HTTP/HTTPS
    • 110 ~ POP3
    • 111/2049 ~ RPC/NFS
    • 139/445 ~ SMB
    • 143 ~ IMAP
    • 3389 ~ RDP
  • Vulnerability & exploitation
    • Database
    • Metasploit
    • Msfvenom
  • Misconfigurations
    • .DS_Store
  • Web Application Penetration Testing
    • Introduction
    • Directories/URLs gathering
    • Subdomain enumeration
    • File inclusion & Path traversal
    • Insecure Direct Object Reference (IDOR)
    • Upload vulnerabilities
      • File extension cheat-sheet
    • SSRF
    • CSRF
    • XSS
    • SQL injection
  • Authentication/session management
    • JSON Web Token (JWT)
    • OAuth weaknesses
  • Webshell
  • Web API pentesting
    • Resources
    • Methodology
    • jq
    • httpx
    • ParamSpider
  • Web app pentesting methodology
  • OWASP
    • OWASP top 10
    • OWASP API top 10
    • Web Security Testing Guide (WSTG)
  • General web knowledge
    • URI standard (RFC 3986)
    • HTTP headers
  • 🛣️Attacks on routing protocols
    • What are attacks on routing protocols?
    • BGP hijacking
  • 🏕️To explore
    • MQTT
    • Routersploit
    • DNS rebinding attack
    • LLMNR/mDNS poisoning
  • 👤Anonymity
    • VPN
    • Proxychains
    • TOR
    • Obfuscation
  • Credentials brute-force/cracking
    • Introduction
    • Windows SAM database
    • Dictionary attack
    • Rainbow attack
      • Hash database
    • Tools
      • Hydra
      • John the ripper
      • Hashcat
      • hash-identifier
  • Post-exploitation
    • Gaining shell
      • netcat
      • socat
      • powershell
      • bash
      • PHP
    • Repository
  • Privilege escalation
    • Linux
      • Repositories
      • Enumeration
      • Vulnerabilities exploit
        • General
        • Kernel exploit
        • Sudo
        • SUID
        • Capabilities
        • Cronjobs
        • $PATH
        • NFS (target-machine)
        • Filesystem sharing
          • NFS (attacker-machine)
    • Windows
      • Password harvesting
      • Vulnerabilities exploit
        • Scheduled tasks
        • AlwaysInstallElevated
        • Service misconfigurations
          • Insecure permissions on service executable
          • Unquoted service path
          • Insecure service permission
        • Abusing privileges
  • Ⓜ️MITRE ATT&CK
    • Introduction
  • 🧰Tools/services
    • Introduction
    • Web hacking
      • Password brute-forcing
      • Web fuzzing
      • Burp Suite (Community)
      • nikto
      • ZAP (Zed Attack Proxy)
      • nuclei
    • Information gathering/reconnaissance
    • Network hacking
      • nmap (general overview)
      • scapy
      • bettercap
    • General
      • impacket
    • Wordlists
      • cewl
  • Professional report writing
    • Report template
      • Web applicaton pentesting
        • OWASP report layout
  • Tasks on-the-go
    • Note taking on-the-go
    • Other tips
  • Practice
    • Metasploitable 2
    • TryHackMe
  • Operational Security (OpSec)
    • Hardening
      • General
      • VirtualBox
      • Web Browser
  • Write-ups
    • TryHackMe
      • Silver Platter
      • Light
      • OWASP Top 10 - 2021 (task 22)
      • Pickle Rick
    • OverTheWire
      • Untitled
    • OWASP
      • OWASP Juice Shop
      • OWASP WebGoat
  • AI prompt
    • ChatGPT
Powered by GitBook
On this page
  • List of common files to read
  • Linux
  • Windows
  • Path traversal attack with wfuzz
  • Null-byte injection
  • Automated file inclusion tool (test pending)
  1. Web Application Penetration Testing

File inclusion & Path traversal

Vulnerabilities include: path/directory traversal (dot-dot-slash) and local/remote file inclusion. Related techniques will be discussed.

PreviousSubdomain enumerationNextInsecure Direct Object Reference (IDOR)

Last updated 23 days ago

The most common default base directory for web content is/var/www, such as: /var/www/html.

List of common files to read

The following list includes some of the common files to read when a file inclusion vulnerability is discovered:

Linux

  • /proc/version: Version of the Linux kernel

  • /etc/shadow: contains information about all registered user that has access to a system

  • /etc/passwd: contains information about the system's users' passwords

  • /root/.bash_history: contains the history commands for root user

  • /root/.ssh/id_rsa: contains private SSH keys for a root or any known valid user on the server

Windows

  • C:\boot.ini: contains the boot options for computers with BIOS firmware

Path traversal attack with wfuzz

Eg. Suppose we have found a PHP file on the server named file.php that accepts a query parameter input, allowing us to view the contents of a specified file. A fuzzing tool can be used to test the paths that may be vulnerable to a traversal attack.

Basic command with wfuzz:

$ wfuzz -w <path_to_wordlist> <url>/file.php?input=FUZZ

Sometimes, there may be many unnecessary results returned. Filter flags such as --hc,--hl can be used to filter unwanted results.

The following wordlist can be used: /usr/share/wfuzz/wordlist/Injections/traversal.txt

Null-byte injection

A null-byte is a control character with a value of zero, that can be represented as 0x00 in hex, %00 in url-encoding or simply\0 in the C programming language (where it represents the end of a string; also known as a null terminator or null character).

In the null-byte injection attack, the null-byte is used to bypass input validations. Languages used on the web such as PHP uses similar string-handling methods to those in the C programming language. Thus, it is vulnerable to this attack, as the null-byte character is interpreted as the string terminator, which can cause input to be prematurely terminated.

Automated file inclusion tool (test pending)

This issue is fixed in PHP 5.3.4.

https://bugs.php.net/bug.php?id=39863
GitHub - kurobeats/fimap: fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.GitHub
TryHackMe | Cyber Security TrainingTryHackMe
Logo
Basic Usage — Wfuzz 2.1.4 documentation
Fuzzing examples
Logo
Logo