In this video, I show you how symlinks can be used to read arbitrary files on a web server.
DISCLAIMER: This video is intended only for educational purposes.
The experiments in this video are performed in a controlled
lab setup and not on a live target. The content is purely
from a penetration testing perspective. I do not
condone or encourage any illegal activities.
The web application in the video supports a file upload functionality where users can upload zip files. When we create a zip file that has a symlink in it which is pointing to an arbitrary file on the server, we are able to read the file pointed by the symlink. In this way we can read any file on the server which can be read by the web server user account (www-data). This can be used to read sensitive files like private keys, bash history, and even apache configuration files. We can leverage this vulnerability to read environment variables that the website is using and find interesting information like Database credentials, tokens, secret strings which we can further use to gain access to various services like ftp, ssh, database, etc.
These kinds of vulnerabilities with symlinks have been exploited many times in the wild. One of the finest example is this GitLab vulnerability where the researcher received a $29,000 bug bounty: hackerone.com/reports/1439593
Thanks for watching!
SUBSCRIBE for more videos!
Join my Discord: / discord
Follow me on Instagram: / teja.techraj
Website: techraj156.com​​​​​
Blog: blog.techraj156.com