Directory Traversal- lab 2–6 (Practitioner)

Lab 2: File path traversal, traversal sequences blocked with absolute path bypass

Solution:

The lab says that it has a path traversal vulnerability in the product images, however it blocks traversal sequences .WE do the same process as shown in the previous lab by seeing the source code and observe how the product images are shown as file names .

Configure the burpsuite proxy and browsers proxy to be same , intercept the request of any product images. Forward the request un till we get the request where product images are given as file names in URL arguments to /image:

in the lab it is stated that it blocks the traversal sequences. So instead of giving ../ as payload. we directly give the filename followed by /etc/passwd and see that the contents of the file is retrieved or not.

On giving the payload directly observe that the contents of the specific file is retrieved and our lab is solved.

Happy Learning :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Lab 3: File path traversal, traversal sequences stripped non-recursively

Solution:

The lab contains a file path traversal vulnerability in the display of product images. However the application strips path traversal sequences from the user-supplied filename. We need to retrieve the contents of the file /etc/passswd

Configure the burpsuite proxy and browsers proxy to be same , intercept the request of any product images. Forward the request un till we get the request where product images are given as file names in URL arguments to /image:

The lab strips path traversal sequences from the user-supplied file name, so inorder to solve the lab we use nested queries such as .…// followed by the file name. We can increase the level up and check whether the contents of the file can be retrieved.

Configure the burpsuite proxy and browsers proxy to be same , intercept the request of any product images. Forward the request un till we get the request where product images are given as file names in URL arguments to /image:

As we give .…//.…//etc/passwd it gives the error no such file found.

But if we go another level high, we are able to retrieve the contents of the file and our lab is solved. The payload looks like this, inorder to retrieve the contents of the file /etc/passwd : GET /image?filename=….//….//….//etc/passwd HTTP/2

The lab is solved :

Happy Learning :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Lab 4: File path traversal, traversal sequences stripped with superfluous URL-decode

Solution:

The lab says that it has directory traversal vulnerability in the product images. Traversal sequences are blocked by the application, the application URL-decode of the input before using it.

Configure the burpsuite proxy and browsers proxy to be same , intercept the request of any product images. Forward the request un till we get the request where product images are given as file names in URL arguments to /image:

Since the application blocks traversal sequences one can bypass this sanitization by URL encoding or even double encoding the traversal sequences.

Encode the payload ../../../ in URL encoder decoder followed by filename of the contents that we want to retrieve.

P.S — Encoding value of ../../../ — — → ..%252F..%252F..%252F

We are able to retrieve the contents of the file, and our lab is solved.

Happy Learning :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Lab 5: File path traversal, validation of start of path

Solution:

The lab says that it has a path traversal vulnerability in the display of product images. The application transmits the full file path via a request parameter , the supplied path starts with expected folder. We need to retrieve the contents of the /etc/passwd file.

Click on any of the product images and check the page source, notice that the product images are given as file names in URL arguments to /image

since the user-supplied filename starts with the expected base folder, such as /var/www/images. One can include the base folder followed by suitable traversal sequences.

Intercept any of the product images and forward the request to repeater.

Include traversal sequences in the base folder, notice the response it gives the error that no such file. Increase the traversal sequence and check whether the contents of the file is retrieved or not.

On gradually increasing the traversal sequences notice that the contents of the file is retrieved and our lab is solved.

Happy Learning :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Lab 6 — File path traversal, validation of file extension with null byte bypass

Solution:

The lab says that it contains file traversal vulnerability in the product images. However the application validates that the supplied filename ends with expected file extension. One needs to retrieve the contents of the file /etc/passwd

Access the lab by clicking on any of the product images, do a page source and observe that filename ends with expected file extension as shown in the below screenshot.

Since the filename ends with expected file extension .png therefore null byte needs to be used to effectively terminate the file path before the expected file extension.

Intercept the request using burpsuite.

Construct the payload.. Increase the traversal sequences and check whether the contents of the specified file can be retrieved or not.

The contents of the file is retrieved. Our lab is solved.

Happy Learning :)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —