File path traversal, traversal sequences stripped with superfluous URL-decode
Let's access the image through the browser.
We can now intercept this request in BurpSuite using the Proxy.
Now, we can forward the request to the Repeater to makes changes in it.
Let's change the filename parameter to the following and forward the request:
../../../etc/passwd
The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.
| Original parameter | Stripped parameter |
|---|---|
| ../../../etc/passwd | etc/passwd |
We can bypass this by URI encoding the ../../../ character sequence.
This way when the server tries to match the pattern, it won't find it because it has been encoded.
Now we can set the filename parameter to the following:
%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66etc/passwd
We have successfully solved the lab.