Path Traversal
Solutions
../../../etc/passwd-> absolute path is blocked/etc/passwd-> the website blocks relative path (../sequences) but interestingly allows absolute path..././..././..././etc/passwd-> the string../is stripped, but not recursively../../../etc/passwdencoded to url twice -> url decode on ascii would give the same result (so encoding the/etc/passwdpart is optional); the system does "strip pattern, then decode url" twice, so we encode the pattern twice/var/www/images/../../../etc/passwd-> system make sure that the beginning must be/var/www/images/../../../etc/passwd%00.jpg-> system make sure that the ending must be.jpg. Null byte (%00) is treated like space in url. So from server side it's like reading 2 files:cat ../../../etc/passwd .jpg. There's apasswd, but no.jpgfile.
Notes
use burpsuite, check hhtp histories (request header on the jpg), repeater, inject payload
why 3 backtrack on directories? because usually website files are in
/var/www/html
Last updated