Directory Traversal/Command Injection

Directory Traversal and Command Injection: If an attacker is able to gain access to restricted directories (such as the root directory) through HTTP, it is known as a directory traversal attack.

If the attackers can gain access to the root directory of a system (which is limited from all but administrative users), they can essentially gain access to everything on the system.

Bear in mind that the root directory of a website is far from the true root directory of the server; an absolute path to the site’s root directory is likely to be something in IIS (Internet Information Server), such as C:\inetpub\wwwroot.

If an attacker can get out of this directory and get to C:\windows, the possibility for inflicting harm is increased exponentially.

One of the simplest ways to perform directory traversal is by using a command Injection attack that carries out the action.

For example, exploiting a weak IIS implementation by calling up a web page along with the parameter cmd.exe?/c+dir+c:\ would call the command shell and execute a directory listing of the root drive (C:\).

With Unicode support, entries such as %C%1C and %C%af can be translated into / and \ respectively.

The ability to perform command injection is rare these days. Most vulnerability scanners will check for weaknesses with directory traversal/command injection and inform you of their presence.

To secure your system, you should run such a scanner and keep the web server software patched.

Related Articles

Leave a Reply

Back to top button