Hide and seek: How to attack using open access files and directories

Open access files and directories stored on an application server are considered one of the most widespread security issues. This is obvious given that an attacker can gain access to confidential data. The consequences of attacks are specific and depend on how contents can be used for malicious purposes. Path names can be predictable if they reflect the purpose of files and directories:

  • admin panel files (/admin.php);
  • backups and logs (/log.txt; /back.sql; /backup.tar.gz), which help an adversary reconstruct the web project structure;
  • version control system files (/.git);
  • debug files (/test.php);
  • hidden copies of editable files (/admin.php~).

Searching for directories like admin consoles is a straightforward task. You can do it by typing different supposed paths in the browser’s address bar or navigating between directories with a sequence of characters ../. Since manual brute forcing is a laborious and time-consuming task, attackers use automated tools like dirb and dirsearch to facilitate the process.

Just a sample

Suppose, we have a web application with the following structure:

Let’s search for hidden resources on its server. Run dirsearch in the console using the command:

To run DIRB, use this command:

In these commands, we’ve specified the file extensions we are looking for. Here they are:

  • txt,log — log files with text
  • html,php — hidden pages (e.g., test.php, admin.html)
  • zip,gz,tar.gz — archives that may contain backup files (e.g., backup.zip, backup.tar.gz)
  • conf,cnf — config files (e.g., admin.conf)
  • sql,bak — sql database backups

So, we’ve found new files and directories:

Let’s take a closer look at them:

access.log — a log file that may contain any debugging information, like user visits, personal account access, user ID, etc. For example, the author of the report got access to user data like:

  • User Device Information
  • Redacted Token
  • Client IP Address
  • Description
  • Session ID
  • User ID
  • Team ID

This information could be used to access personal accounts or services that require authentication.

backup — a directory that may contain archives with web application backups. Backups may store lots of critical data, like source codes, passwords, personal data of users, etc. To analyze this directory, we have to specify its path in dirsearch:

In this directory, we found the following file:

test.php — debugging scripts may enable functionality that will allow us to compromise the server. If exposed, these files are usually bad news. For example, the author of the report found check.php, which disclosed information about the server, environment variables, etc. All that can be used to compromise a server.

So, we’ve already found several dangerous files — access.log, backup.sql, and test.php. We have to download them from the remote server and analyze them. Enter http://10.0.2.10/access.log in the browser's address bar. Now, do the same thing for all other files. We can use the results of the analysis to get access to the web application.

.git — a directory that usually stores changes and artifacts of the git version control system. Let’s take a closer look at it. Thus, we will be able to access the source code of the application! Take, for example, the report whose author found this directory and got access to files including config files and keys to access the server:

  • ansible/provision.yml
  • ansible/roles/common/files/id_rsa
  • ansible/roles/common/tasks/main.yml

Let’s try to fetch the application files from .git. We can do this using DVCS-Ripper. Run dvcs-ripper with the command:

As a result, we see the following message:

The files have been successfully fetched from the remote server directory, and you will find them in /home/admin on your local virtual machine. Now, we can analyze these files.

Sometimes, DIRB and Dirsearch built-in dictionaries aren’t enough to find hidden files and directories. In such case, you can create your own dictionary. First, let’s make a dictionary for dates from 2010 to 2012. Enter the following command:

To create a custom dictionary with unique words, you have to use CeWL, which analyses resources and automatically compiles keywords in a text file. Enter the following command to run it:

The dictionary will appear on the desktop. Now, we can use it:

or

A video, which is below, shows how it can be done in real cases.

Useful links

Hacktory are professional AppSec, Red and Blue Teams developing their game-based cybersecurity educational platform https://hacktory.ai/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store