Path Traversal

../../../etc/passwd -> absolute path is blocked
/etc/passwd -> the website blocks relative path (../ sequences) but interestingly allows absolute path
..././..././..././etc/passwd -> the string ../ is stripped, but not recursively
../../../etc/passwd encoded to url twice -> url decode on ascii would give the same result (so encoding the /etc/passwd part is optional); the system does "strip pattern, then decode url" twice, so we encode the pattern twice
/var/www/images/../../../etc/passwd -> system make sure that the beginning must be /var/www/images/
../../../etc/passwd%00.jpg -> system make sure that the ending must be .jpg. Null byte (%00) is treated like space in url. So from server side it's like reading 2 files: cat ../../../etc/passwd .jpg. There's a passwd, but no .jpg file.

use burpsuite, check hhtp histories (request header on the jpg), repeater, inject payload
why 3 backtrack on directories? because usually website files are in /var/www/html

Last updated 1 year ago

../../../etc/passwd -> absolute path is blocked
/etc/passwd -> the website blocks relative path (../ sequences) but interestingly allows absolute path
..././..././..././etc/passwd -> the string ../ is stripped, but not recursively
../../../etc/passwd encoded to url twice -> url decode on ascii would give the same result (so encoding the /etc/passwd part is optional); the system does "strip pattern, then decode url" twice, so we encode the pattern twice
/var/www/images/../../../etc/passwd -> system make sure that the beginning must be /var/www/images/
../../../etc/passwd%00.jpg -> system make sure that the ending must be .jpg. Null byte (%00) is treated like space in url. So from server side it's like reading 2 files: cat ../../../etc/passwd .jpg. There's a passwd, but no .jpg file.

use burpsuite, check hhtp histories (request header on the jpg), repeater, inject payload
why 3 backtrack on directories? because usually website files are in /var/www/html

Last updated 1 year ago