File path traversal, traversal sequences stripped non-recursively
Last updated
Last updated
Let's access the image through the browser.
We can intercept this request in Burp Suite using the Proxy.
Now, we can sent this intercepted request to the Repeater to modify it.
Once in the Repeater, we can set the filename parameter to the following:
The server tells us that the file does not exist. This is because the ../ characters are being stripped from our parameter.
| Original | Stripped |
|---|---|
../../../etc/passwd | etc/passwd |
The problem is, the server does not strip the parameters recursively,
We can exploit it by setting the filename parameter to the following:
Now, when the ../ characters are stripped it still leaves a set of ../ characters.
| Original | Stripped |
|---|---|
....//....//....//etc/passwd | ../../../etc/passwd |
We have successfully solved the lab.
