File path traversal, traversal sequences stripped non-recursively

Let's access the image through the browser.

We can intercept this request in Burp Suite using the Proxy.

Now, we can sent this intercepted request to the Repeater to modify it.

Once in the Repeater, we can set the filename parameter to the following:

../../../etc/passwd

The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.

Original	Stripped
../../../etc/passwd	etc/passwd

The problem is, the server does not strip the parameters recursively,

We can exploit it by setting the filename parameter to the following:

....//....//....//etc/passwd

Now, when the ../ characters are stripped it still leaves a set of ../ characters.

Original	Stripped
....//....//....//etc/passwd	../../../etc/passwd

We have successfully solved the lab.