Path Traversal
Last updated
Last updated
Welcome! Today we will be solving all the Path Traversal labs of PortSwigger, so I hope you are ready and letβs get to it!
Letβs access that image and intercept it with BurpSuite:
We are going to send it to the Repeater and instead of making the parameter point to 1.jpg we will point to /etc/passwd:
You may encounter the case where the ../../../etc/passwd sequence is blocked, but it may work if you just point to the directory you want to read:
If we intercept the same request above and try the above path traversal we will see that they do not work:
We will try to put a nested statement:
Syntax: ....//....//....//
We will intercept the same request:
In this case if we try a normal, nested and absolute traversal path it will not work, if we try URL encoding ../ we will get the result %2e%2e%2e%2f, we will try in the request:
But without success, we will try to URL encode it twice, then it would be:
%2e%2e%2e%2f -> %252e%252e%252e%252f.
We will try:
If we see how they call the images we can see that it is doing it with the absolute path:
What we will try is to intercept the loading of that image and instead of requiring the image 1.jpg we can try to show the /etc/passwd:
We will intercept the following request:
If we try a traversal path it will not work, this is because the application requires an accepted extension to work, in this case it will be .png but if we try ../../../../etc/passwd.png obviously it will not work. We will put a null byte.
null byte: %00
We will be able to see that it is a product store, if we see the source code we will be able to see the following failure:
