Directory traversal
Last updated
Was this helpful?
Last updated
Was this helpful?
Directory traversal (or Path traversal) is a vulnerability that allows an individual to read arbitrary files on a web server. Inputs that are not validated by the back-end server may be vulnerable to payloads such as "../../../". Using this method, an attacker can go beyond the root directory of the website, thus reaching arbitrary files hosted on the web server (/etc/passwd, /etc/hosts, c:/boot.ini, etc.).
Some details are important to know beforehand.
As the mentions, each operating system uses different characters as a path separator.
Unix-like OS:
Windows OS' Shell':
Classic Mac OS:
Files and directories are case-insensitive, so there's no need to try different payloads based on case sensitivity. Also, one has to make sure that the payloads don't use a fixed drive letter ("C:"), but more ("D:", "E:"...).
Directory traversal could lead to Remote Code Execution (RCE).
Next, finding the right parameter to inject is essential. Usually, a vulnerable parameter is one that requires a file that will be fetched by the back-end server using a path (form parameters, cookies...).
Then, to construct a payload, it's interesting to have a set of important files to search:
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
There may be no "administrator" account, you have to guess the right one in that case.
If you can read either of these files, the file reading process has
LocalSystemprivileges.
The tool (Perl) can help in finding and exploiting directory traversal vulnerabilities by fuzzing the web app. However, manual testing is usually more efficient.
The first step is to find what kind of system is used (Linux, Windows...). One could do that by checking on which is used (some technologies run on Linux while others run on Windows).
Various filters could be set for a web application (using a Web Application Firewall for example). A set of bypass payloads can be found in .
:
