File path traversal, traversal sequences stripped non-recursively
Last updated
Last updated
Let's access the image through the browser.
We can intercept this request in Burp Suite using the Proxy
.
Now, we can sent this intercepted request to the Repeater
to modify it.
Once in the Repeater
, we can set the filename
parameter to the following:
The server tells us that the file does not exist. This is because the ../
characters are being stripped from our parameter.
Original | Stripped |
---|---|
../../../etc/passwd | etc/passwd |
The problem is, the server does not strip the parameters recursively,
We can exploit it by setting the filename
parameter to the following:
Now, when the ../
characters are stripped it still leaves a set of ../
characters.
Original | Stripped |
---|---|
....//....//....//etc/passwd | ../../../etc/passwd |
We have successfully solved the lab.