Portswigger: Path Traversal > File path traversal, traversal sequences stripped non-recursively Writeups By Md Mirajul Haque Miraj || Security Path

Note: The write-ups written only for Educational Purposes. All the credits go to Portswigger for providing the lab. Please try and try yourself before reading this write-up. Thanks. Let’s get STARTED…

Reference: https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively

? Now press on the orange rounded “ ACCESS THE LAB ” Button

? Now we need to find a query parameter that retrieves data like static text, images, etc…? ? Let’s try and check…↓↓

? Right-click on any image and open it to a new tab

? Replace ‘43.jpg’ with ‘/etc/passwd’ and hit enter

? Failed! Now and?../ and try again and repeat…

? All Failed, Look at the description carefully, they said ↓↓

? Let’s use sequence two times at the same position, like?….// instead of?../ to bypass this issue ? After the Trial-Error test we got something different for the? Payload=?….//….//….//etc/passwd

? Result

? Solved

? Lab is solved, it’s like a blind way, but we need to read the data so we may use NULL BYTE after the payload, but note that it is fixed from PHP 5.3.4 to above, so it will not work, so we have an option that is using Burp Suite, let’s intercept this exact request (with filename parameter)…

? Send it to the repeater and replace the filename value with our worked payload and send the request…

? We can see the data successfully…

Congratulation My Friend.

~Thanks For Reading~

~Have a GooD?DaY~