File path traversal, traversal sequences stripped non-recursively
Let's access the image through the browser.
We can intercept this request in Burpsuite using the Proxy
.
Now, we can sent this intercepted request to the Repeater
to modify it.
Once in the Repeater
, we can set the filename
parameter to the following:
../../../etc/passwd
The server tells us that the file does not exist. This is because the ../
characters are being stripped from our parameter.
Original Parameter | Stripped parameter |
---|---|
../../../etc/passwd | etc/passwd |
The problem is, the server does not strip the parameters recursively
We can exploit it by setting the filename
parameter to the following:
....//....//....//etc/passwd
Now, when the ../
characters are stripped it still leaves a set of ../
characters.
Original parameter | Stripped parameter |
---|---|
....//....//....//etc/passwd | ../../../etc/passwd |
We have successfully solved the lab.