File path traversal, traversal sequences stripped non-recursively
Let's access the image through the browser.
We can intercept this request in Burpsuite using the Proxy.
Now, we can sent this intercepted request to the Repeater to modify it.
Once in the Repeater, we can set the filename parameter to the following:
../../../etc/passwd
The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.
| Original Parameter | Stripped parameter |
|---|---|
| ../../../etc/passwd | etc/passwd |
The problem is, the server does not strip the parameters recursively
We can exploit it by setting the filename parameter to the following:
....//....//....//etc/passwd
Now, when the ../ characters are stripped it still leaves a set of ../ characters.
| Original parameter | Stripped parameter |
|---|---|
| ....//....//....//etc/passwd | ../../../etc/passwd |
We have successfully solved the lab.