Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Introduction to Directory Traversal

Directory Traversal, or path traversal, is a vulnerability in web applications that can allow an attacker to access files which they should not be able to. Such as files outside of the application web root.

The vulnerability would generally be exposed through an application parameter like this:

https://seattlesounds.net/file.php?name=Brochure.pdf

Here the parameter is specifying a file within a specific subdirectory of the application, such as:

/var/www/html/Downloads

An attacker can abuse this function potentially, by using relative directory moves through character sequences like “../”. The following path:

/var/www/html/Downloads/../

Is the equivalent of:

/var/www/html/

The “../” effectively moves the attacker up one directory, if too many of those sequences are supplied, generally any additional ones are simply ignored, so:

/var/www/html/Downloads/../../../../../../../

Is the equivalent of:

/

One way to test for this issue is to supply a number of relative moves for files that are known to exist, for example:

index.php
../index.php
../../index.php
../../../index.php
and so on...

Alternatively you could try something like:

../../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../windows/win.ini

To exploit the issue we simply place one of the payloads in the target URL:

https://seattlesounds.net/file.php?name=../../../../../../../../../../../etc/passwd

 

Potentially the sequence “../” may be blocked by the application, such as through a filter implemented by the developer but potentially you could bypass this through encoding. Some possible examples for filter evasion include:

%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\

For a list of possible files to try, there’s a cheatsheet for Windows and Linux!