Awsome yet unlucky path traversalWhere to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?
Are there other languages, besides English, where the indefinite (or definite) article varies based on sound?
Could the Saturn V actually have launched astronauts around Venus?
How to deal with a cynical class?
Awsome yet unlucky path traversal
Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?
What do Xenomorphs eat in the Alien series?
Identifying the interval from A♭ to D♯
What should tie a collection of short-stories together?
PTIJ: Who should I vote for? (21st Knesset Edition)
Welcoming 2019 Pi day: How to draw the letter π?
compactness of a set where am I going wrong
Does someone need to be connected to my network to sniff HTTP requests?
Python if-else code style for reduced code for rounding floats
How to terminate ping <dest> &
How could a scammer know the apps on my phone / iTunes account?
Who is flying the vertibirds?
What approach do we need to follow for projects without a test environment?
What did Alexander Pope mean by "Expletives their feeble Aid do join"?
It's a yearly task, alright
Why is the President allowed to veto a cancellation of emergency powers?
Did Ender ever learn that he killed Stilson and/or Bonzo?
Interplanetary conflict, some disease destroys the ability to understand or appreciate music
The difference between「N分で」and「後N分で」
Why did it take so long to abandon sail after steamships were demonstrated?
Awsome yet unlucky path traversal
Where to find a fake hierarchy for a honeypot for double-dot/path traversal attacks?Danger of Path Traversal AttacksFinding Directory traversal vulnerabilityAlternative ways to exploit this path traversalPath traversal exploitExecute cmd commands with http directory traversal attackWhat is the most valuable file you can get using a directory traversal holeIs jQuery 2.1.1 vulnerable to OS command injection?On company intranet yet web server picked up URL scanning-type requests?Preventing Path Traversal Best Practise?
I am performing a penetration testing on an application hosted on an Ubuntu environment.
So using a path traversal vulnerability, I can download any file.
The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.
What I have tried:
- Search for logs that can lead me to the path. nginx or apache2 is not there.
- Search for nginx, apache2 or other configuration files
- Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)
- Bash histories of all users
What else should I try?
web-application penetration-test webserver operating-systems web-service
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
add a comment |
I am performing a penetration testing on an application hosted on an Ubuntu environment.
So using a path traversal vulnerability, I can download any file.
The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.
What I have tried:
- Search for logs that can lead me to the path. nginx or apache2 is not there.
- Search for nginx, apache2 or other configuration files
- Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)
- Bash histories of all users
What else should I try?
web-application penetration-test webserver operating-systems web-service
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago
add a comment |
I am performing a penetration testing on an application hosted on an Ubuntu environment.
So using a path traversal vulnerability, I can download any file.
The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.
What I have tried:
- Search for logs that can lead me to the path. nginx or apache2 is not there.
- Search for nginx, apache2 or other configuration files
- Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)
- Bash histories of all users
What else should I try?
web-application penetration-test webserver operating-systems web-service
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
I am performing a penetration testing on an application hosted on an Ubuntu environment.
So using a path traversal vulnerability, I can download any file.
The API web application runs as root (shadow and brute-force are already my friends). Funny situation: I can not find the web root folder.
What I have tried:
- Search for logs that can lead me to the path. nginx or apache2 is not there.
- Search for nginx, apache2 or other configuration files
- Search for common directories of web roots (https://serverfault.com/questions/144598/where-should-the-web-server-root-directory-go-in-linux)
- Bash histories of all users
What else should I try?
web-application penetration-test webserver operating-systems web-service
web-application penetration-test webserver operating-systems web-service
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
asked 3 hours ago
Lucian NitescuLucian Nitescu
1,287416
1,287416
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago
add a comment |
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago
add a comment |
1 Answer
1
active
oldest
votes
Use the traversal vulnerability to read
/proc/self/environ
This prints out environment variables among other thread information.
Look for a environment variable called DOCUMENT_ROOT
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Use the traversal vulnerability to read
/proc/self/environ
This prints out environment variables among other thread information.
Look for a environment variable called DOCUMENT_ROOT
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
add a comment |
Use the traversal vulnerability to read
/proc/self/environ
This prints out environment variables among other thread information.
Look for a environment variable called DOCUMENT_ROOT
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
add a comment |
Use the traversal vulnerability to read
/proc/self/environ
This prints out environment variables among other thread information.
Look for a environment variable called DOCUMENT_ROOT
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
Use the traversal vulnerability to read
/proc/self/environ
This prints out environment variables among other thread information.
Look for a environment variable called DOCUMENT_ROOT
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
answered 2 hours ago
DaisetsuDaisetsu
4,21811021
4,21811021
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205470%2fawsome-yet-unlucky-path-traversal%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What about the /opt location?
– Jeroen - IT Nerdbox
3 hours ago
@Jeroen-ITNerdbox no luck :)
– Lucian Nitescu
3 hours ago
@hiburn8 "Bash histories of all users"
– Lucian Nitescu
2 hours ago