Path Traversal, also known as Directory Traversal, is a type of security vulnerability that occurs when an attacker manipulates variables that reference files with “dot-dot-slash (../)” sequences or similar constructs. This can allow the attacker to access arbitrary files and directories stored on the file system.
- Basic exploitation
- Path Traversal
We can use the
.. characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
16 bits Unicode encoding
UTF-8 Unicode encoding
Bypass "../" replaced by ""
Sometimes you encounter a WAF which remove the
../ characters from the strings, just duplicate them.
Bypass "../" with ";"
Double URL encoding
e.g: Spring MVC Directory Traversal Vulnerability (CVE-2018-1271) with
An attacker can inject a Windows UNC share ('\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
NGINX in certain configurations and ALB can block traversal attacks in the route, For example:
http://nginx-server/../../ will return a 400 bad request.
To bypass this behaviour just add forward slashes in front of the url:
ASPNET Cookieless Bypass
When cookieless session state is enabled. Instead of relying on a cookie to identify the session, ASP.NET modifies the URL by embedding the Session ID directly into it.
For example, a typical URL might be transformed from:
http://example.com/page.aspx to something like:
http://example.com/(S(lit3py55t21z5v55vlm25s55))/page.aspx. The value within
(S(...)) is the Session ID.
We can use this behavior to bypass filtered URLs.
Bypass Java's URL protocol
Interesting Linux files
/etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) /proc/self/environ /proc/version /proc/cmdline /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/self/cwd/index.php /proc/self/cwd/main.py /home/$USER/.bash_history /home/$USER/.ssh/id_rsa /run/secrets/kubernetes.io/serviceaccount/token /run/secrets/kubernetes.io/serviceaccount/namespace /run/secrets/kubernetes.io/serviceaccount/certificate /var/run/secrets/kubernetes.io/serviceaccount /var/lib/mlocate/mlocate.db /var/lib/mlocate.db
Interesting Windows files
Always existing file in recent Windows machine. Ideal to test path traversal but nothing much interesting inside...
Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
c:/boot.ini c:/inetpub/logs/logfiles c:/inetpub/wwwroot/global.asa c:/inetpub/wwwroot/index.asp c:/inetpub/wwwroot/web.config c:/sysprep.inf c:/sysprep.xml c:/sysprep/sysprep.inf c:/sysprep/sysprep.xml c:/system32/inetsrv/metabase.xml c:/sysprep.inf c:/sysprep.xml c:/sysprep/sysprep.inf c:/sysprep/sysprep.xml c:/system volume information/wpsettings.dat c:/system32/inetsrv/metabase.xml c:/unattend.txt c:/unattend.xml c:/unattended.txt c:/unattended.xml c:/windows/repair/sam c:/windows/repair/system
The following log files are controllable and can be included with an evil payload to achieve a command execution
- File path traversal, simple case
- File path traversal, traversal sequences blocked with absolute path bypass
- File path traversal, traversal sequences stripped non-recursively
- File path traversal, traversal sequences stripped with superfluous URL-decode
- File path traversal, validation of start of path
- File path traversal, validation of file extension with null byte bypass
- Path Traversal Cheat Sheet: Windows
- Directory traversal attack - Wikipedia
- CWE-40: Path Traversal: '\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018
- NGINX may be protecting your applications from traversal attacks without you even knowing
- Directory traversal - Portswigger
- Cookieless ASPNET - Soroush Dalili