Path traversal
Path traversal is a vulnerability allowing a hacker will manage to access files/folders that were not supposed to be available for users by exploiting the application.
β οΈ You should use HTTP clients to perform path traversal attacks, as browsers may send something different from what you wrote.
For instance, http://example.com/image-preview.php?url=... is supposed to display an image given a URL.
You can use the dot-dot-slash attack, and give a URL such as ../../../../../etc/passwd. You can add more ../ than needed, but try to find the least number required.
It's used by others attacks such as File inclusion or SSRF.
Path Traversal Bypass filters
- If there is a function removing
../, then you can craft a payload that will only work as expected once the input was filtered.
Input: ....//
Input: ..././
Apply Filter: remove ../
Output: ../
-
If the target application decodes URLs more than once (which is not the default in PHP), we may be able to bypass a WAF or similar solutions using Double URL encoding.
-
The path may have to start with a specific folder, in which case, you can simply use
folder/../<payload>. -
Some systems support
/./or//in payloads, which may be handy to bypass naive filters, such as with/etc/./passwd.
- The null byte
%00could be used in PHP < 5.3.4 to ignore trailing extensions such as.pngbelow:
include "xxx.png%00.php" // include xxx.png
- We can exploit PHP string truncation in PHP < 5.3.0 to craft a payload. From my experience, it only works when the string has a certain size which is often strictly equals to 4095.
# must be an odd number of characters in the path
payload = 'a/../admin.html' + '/.' * 2026
payload = 'abc/../admin.html' + '/.' * 2025
payload = 'admin.html/' + '/.' * 2028
- If they are using
assert()to filter characters such as.., we may be able to exploit it. Refer to hacktricks notes.