Understanding the QwikiWiki Directory Traversal Exploit (2005)
Understanding the QwikiWiki Directory Traversal Exploit (2005)
What this paper is
This paper describes a directory traversal vulnerability in a web application called QwikiWiki. The vulnerability allows an attacker to read arbitrary files on the web server by manipulating the page parameter in the URL. The exploit provided demonstrates how to trigger this vulnerability.
Simple technical breakdown
Web applications often use parameters in URLs to tell them which files to display. QwikiWiki, in this case, uses the page parameter to specify a PHP file to include. If the application doesn't properly sanitize the input for this parameter, an attacker can use special characters like ../ (which means "go up one directory") to navigate outside the intended web root directory and access sensitive files. The %00 (null byte) is used to terminate the string, effectively tricking the application into ignoring the rest of the intended filename.
Complete code and payload walkthrough
The provided "code" is actually a single HTTP request demonstrating the exploit.
http://[SERVER]/qwiki/index.php?page=../_config.php%00Let's break this down:
http://[SERVER]/qwiki/index.php: This is the base URL of the vulnerable QwikiWiki application.index.phpis likely the main script handling requests.?page=: This indicates the start of query parameters, andpageis the specific parameter being manipulated.../: This is the core of the directory traversal. It tells the server to move up one directory level from its current location._config.php: This is the target file an attacker wants to read. It's a common name for configuration files in PHP applications, which might contain sensitive information like database credentials.%00: This is the URL-encoded representation of a null byte. In many programming languages, a null byte signifies the end of a string. By appending it, the attacker forces thepageparameter's value to be interpreted as just../followed by the null byte, effectively truncating the intended filename processing and allowing the traversal to succeed.
Mapping:
http://[SERVER]/qwiki/index.php: Target web application entry point.?page=: Parameter used for file inclusion.../: Directory traversal sequence._config.php: Target sensitive file.%00: Null byte for string termination.
Payload Explanation:
The "payload" here is the crafted URL itself. It's not executable code in the traditional sense but rather a specially formed HTTP request designed to exploit a flaw in how the web application processes the page parameter. The intended effect is for the server to read and return the content of ../_config.php to the attacker's browser.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication is typically required for this type of vulnerability if it's exposed publicly.
- Lab Preconditions:
- A vulnerable QwikiWiki installation running on a web server.
- Knowledge of the web server's directory structure to predict the location of sensitive files like configuration files.
- A way to intercept and analyze HTTP responses (e.g., Burp Suite, OWASP ZAP,
curl).
- Tooling Assumptions: Standard web browsers, HTTP proxy tools, or command-line tools like
curl. - Execution Pitfalls:
- URL Encoding: Different servers or web application firewalls might handle URL encoding differently. The
%00might need to be encoded in other ways (e.g.,%2500if double-encoded) or might not be necessary if the application is extremely lax. - Path Variations: The number of
../might need adjustment depending on the depth of theqwikidirectory within the web root. For example, ifqwikiis in/var/www/html/qwiki/, and_config.phpis in/var/www/html/, then../is correct. If_config.phpwere in/var/www/, then../../would be needed. - File Permissions: The web server process must have read permissions for the target file (
_config.php). - Application Logic: The application might have specific checks or sanitization that prevent this exact traversal.
- Null Byte Filtering: Modern web applications and WAFs often filter out null bytes.
- URL Encoding: Different servers or web application firewalls might handle URL encoding differently. The
- Expected Telemetry:
- Web Server Logs: An HTTP GET request to
index.phpwith the craftedpageparameter. Look for unusual path traversals. - Application Logs: If the application logs file inclusions or errors, there might be entries related to the attempted file read.
- Network Traffic: The attacker's machine will receive the content of the
_config.phpfile.
- Web Server Logs: An HTTP GET request to
Where this was used and when
This exploit targets QwikiWiki, a web application that was likely in use around 2005, the publication date of the paper. Directory traversal vulnerabilities were common in web applications of that era due to less mature input sanitization practices. Specific instances of this exact exploit being used in the wild are not detailed in the paper, but the technique was prevalent for accessing configuration files, source code, or other sensitive documents on web servers.
Defensive lessons for modern teams
- Input Validation and Sanitization: Always validate and sanitize all user-supplied input, especially parameters used for file operations. Remove or reject potentially dangerous characters like
../, null bytes (%00), and other path traversal sequences. - Principle of Least Privilege: Ensure the web server process runs with the minimum necessary permissions. It should not have read access to sensitive configuration files or system files outside its designated web root.
- Secure File Inclusion Practices: If file inclusion is necessary, use whitelisting of allowed files rather than blacklisting dangerous patterns. Use absolute paths or paths relative to a known secure directory.
- Web Application Firewalls (WAFs): Implement and configure WAFs to detect and block common attack patterns, including directory traversal attempts and null byte injections.
- Regular Patching and Updates: Keep web applications and their underlying frameworks updated to patch known vulnerabilities.
ASCII visual (if applicable)
+-----------------+ +-----------------+ +-----------------+
| Attacker's |----->| Web Server |----->| QwikiWiki |
| Browser/Client | | (HTTP Request) | | Application |
+-----------------+ +-----------------+ +-----------------+
|
| (Vulnerable
| index.php)
v
+-----------------+
| Reads |
| ../_config.php |
+-----------------+
|
| (Returns content)
v
+-----------------+
| Web Server |
| (HTTP Response) |
+-----------------+
|
|
v
+-----------------+
| Attacker's |
| Browser/Client |
| (Receives data) |
+-----------------+This diagram illustrates the flow: the attacker sends a crafted request, the web application attempts to read a file outside its intended directory, and if successful, the content is returned to the attacker.
Source references
- Paper ID: 737
- Paper Title: QwikiWiki - Directory Traversal
- Author: Madelman
- Published: 2005-01-04
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/737
- Raw URL: https://www.exploit-db.com/raw/737
Original Exploit-DB Content (Verbatim)
REQUEST:
http://[SERVER]/qwiki/index.php?page=../_config.php%00
# milw0rm.com [2005-01-04]