The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

The application returns the following error message:

passwd.log not found in /etc directory!

What input should you submit next to try to retrieve the 

passwd

file?

2. You are probing for path traversal flaws in a file download function.

The following URL returns the file called 

foo.txt

:

https://wahh-app.com/showFile.php?f=foo.txt

After some experimentation, you discover that supplying the input

../foo.txt

returns the original file, whereas supplying the input

bar/../foo.txt

returns an error.

What might be the cause of this unusual behavior, and how can you

attempt to refine your attack?

3. An application uses URLs like the following to view various configura-

tion files:

https://wahh-app.com/manage/customize.asp?file=default.xml

You have determined that the file specified is normally retrieved from

the 

/contrib

directory within the web root. However, requesting the

following URL:

https://wahh-app.com/manage/customize.asp?file=../../../../boot.ini

results in an HTTP 500 status code and the following error message:

Microsoft VBScript runtime (0x800A0046)

Permission denied

What is the likely cause of this message, and how can you proceed

towards exploitation?

4. You have located a file handling function that appears to be vulnerable

to path traversal attacks. However, you have no idea what the location

of the starting directory is, or how many traversal sequences you need

to insert to get to the file system root. How can you proceed without

this information?

5. You have located a path traversal vulnerability. However the starting

directory is within a separate logical volume that is only used for

hosted web content. Is it possible to exploit this vulnerability to any

malicious effect?

Download 5,76 Mb.

Do'stlaringiz bilan baham: