Skip to main content

File path traversal, traversal sequences stripped non-recursively

1

Let's access the image through the browser.

2

We can intercept this request in Burpsuite using the Proxy.

3

Now, we can sent this intercepted request to the Repeater to modify it.

Once in the Repeater, we can set the filename parameter to the following:

../../../etc/passwd

4

The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.

Original ParameterStripped parameter
../../../etc/passwdetc/passwd

The problem is, the server does not strip the parameters recursively

We can exploit it by setting the filename parameter to the following:

....//....//....//etc/passwd

Now, when the ../ characters are stripped it still leaves a set of ../ characters.

Original parameterStripped parameter
....//....//....//etc/passwd../../../etc/passwd

5

We have successfully solved the lab.

6