Directory Traversal and Command Injection – CompTIA Security+ SY0-401: 3.5

The bad guys can take a poorly configured web server and get access to the server’s entire file system. In this video, you’ll learn about directory traversal and how to protect your web server against command injections.

<< Previous Video: SQL Injection, XML Injection, and LDAP InjectionNext: Buffer Overflows and Integer Overflows >>


A web server is a relatively closed environment. We get on to the server, we have access to certain pages and certain applications, and usually that’s it. You don’t have any more access than that. Of course behind the scenes there’s a full blown computer, it’s running an operating system, there’s many files and many directories and that machine probably has access to other machines in your environment. But you’re not supposed to have access to that. You’re only supposed to have access to just the web server piece.

Of course there are times when that is not the case and that you do have access to other parts of the computer that you normally should not. And it’s probably because there’s a misconfigured web server, or the web server itself has some vulnerable code, or maybe the applications you’re using on that web server are giving you access to that particular web server computer that normally you shouldn’t have. This is generally a bad thing because if the bad guys get a hold of that, they can run their own programs right there in the web server if they want to. And if they’re using directory traversal to get around what normally would be your website, they can run the programs that are on your computer that normally they should not have access to.

When we’re looking at the directories of a web server it look something like this. This is one that I’m running right now where right off the root I have a lot of different folders here. My web server folder is actually under the lamp P HT docs directory and inside of that is the web server. This is really, in a green, the only part you would see if you went to the web server. You’re not supposed to be able to go to any of these other directories back here. You’re only supposed to see this little world.

So what happens if you get access to some of these folders and you can run applications there and that command injection? Let’s try doing some of that ourselves and see what we can do. Let’s see what happens when we use a misconfigured web server and some vulnerable applications to get around some of the directories, to be able to traverse those and to inject our own commands into these applications.

I’m using this application called DVWA. You can go to Google and search for the DVWA. It’s a vulnerable web application set of test that you can do. So you could run this on your own servers and do the same thing that I’m doing here. There’s a set of file inclusions here that I could run and where it gives me information on the screen it just outputs what’s in a file. Well, I’m going to use this very poorly worded script to output a file that’s located elsewhere on the server. So what I’m going to do is get rid of this Include PHP that’s being included. I’m instead going to want to go to the ETC directory and simply write out the password file and hit enter. And you can see, if you’re familiar with the Linux Unix password file, this is the file. So I’ve been able to take this bad app or this bad script that runs on this web server, go into a section of the web server I should not have access to, and output a file that has sensitive information about what’s on this server.

That’s just one way of traversing those directories to be able to see that information. Now let’s inject our own commands into this. There’s another one of these that is a command execution that normally you’d be able to ping from here. So I can put in an IP address and hit submit and it will ping out there and give you the results of that ping command. And there it is on my server. There’s the results. But it’s a portly written application and I can escape around some of these things and put my own commands in there, like the ifconfig command to see what the configuration is of this server. So anything the web server can run, any applications that can be run by that web server, I’m able to run right here in the web browser. Obviously, having that directory traversal and being able to inject my own commands into this puts it this particular server at risk. And those are the things that we’d like to try to avoid when we’re configuring our web servers and our applications.