Skip to main content

File path traversal, traversal sequences stripped with superfluous URL-decode

1

Let's access the image through the browser.

2

We can now intercept this request in BurpSuite using the Proxy.

3

Now, we can forward the request to the Repeater to makes changes in it.

Let's change the filename parameter to the following and forward the request:

../../../etc/passwd

4

The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.

Original parameterStripped parameter
../../../etc/passwdetc/passwd

We can bypass this by URI encoding the ../../../ character sequence. This way when the server tries to match the pattern, it won't find it because it has been encoded.

5

Now we can set the filename parameter to the following:

%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd

6

We have successfully solved the lab.

7