File path traversal, validation of file extension with null byte bypass

Let's access the image through the browser.

We can now intercept this request in Burp Suite using the Proxy
.

Now, we can forward the request to the Repeater
to makes changes in it.
Let's change the filename
parameter to the following and forward the request:
../../../etc/passwd

The server expects a .png
file extension. We can use %00
characters before the extension so that our string gets terminated before the extension
../../../etc/passwd%00.png

We have successfully solved the lab.

Last updated
Was this helpful?