File path traversal, traversal sequences stripped non-recursively

Let's access the image through the browser.

We can intercept this request in Burp Suite using the Proxy.

Now, we can sent this intercepted request to the Repeater to modify it.

Once in the Repeater, we can set the filename parameter to the following:

../../../etc/passwd

The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.

Original

Stripped

../../../etc/passwd

etc/passwd

The problem is, the server does not strip the parameters recursively,

We can exploit it by setting the filename parameter to the following:

....//....//....//etc/passwd

Now, when the ../ characters are stripped it still leaves a set of ../ characters.

Original

Stripped

....//....//....//etc/passwd

../../../etc/passwd

We have successfully solved the lab.

Last updated 1 year ago

Was this helpful?