Simple PathTraversal bypass

fr0stNuLL
fr0stNuLL
Jun 3, 2019 · 3 min read

.

Hi guys again here bringing an experience to share with you, as usual I will overshadow some information let’s go ..

Passing through the application, I came across a feature which, it was possible to download a document, the functionality trigger the following request:

Image for post
Image for post

As you can see, in the body of the request, precisely in the info parameter, there was a lot of numbers, I tried some SQLi payloads, XSS but without success, after I tried the payload foo/../304368[rest of numbers], and the application still returned me the file, I found it interesting.. so I tried to search for /etc/passwd, using the techniques of path traversal, after trying a bit and reading this article , and test some payloads using fuzzing techniques, i finally got one that worked ../../../etc/passwd%00, the %00 is a known bypass for several scenarios not only path traversal more info here. The following images illustrates the payload and response:

Image for post
Image for post
Image for post
Image for post

After getting all the users with payload quoted, I made a list with the absolute path of each user retrieved, and made another wordlist containing common linux files like .bashrc, .vimrc and others. By doing this it was possible to recover one user’s .bash_history file, as demonstrated below:

Image for post
Image for post
Image for post
Image for post

After reading the contents of the .bash_history(if you don’t know what is .bash_history here) file of the user in question, I could see that there was a file with a .zip extension, so I went to recover this file, using the same 00% payload technique as shown Next:

Image for post
Image for post

After getting this file, i unzip and got a lot of java files like bellow:

Image for post
Image for post

Finally, I used a tool to decompile JD-GUI the .jar files, retrieved them, and got some information. As shown below

Image for post
Image for post

So that’s it folks. This was simple I hope to have contributed a bit with you xD.

Sharing is Caring

best regards, fr0stNuLL

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store