Portswigger: Path Traversal > File path traversal, validation of start of path Writeups By Md Mirajul Haque Miraj || MirajulHaque || Security?Path

Note: The write-ups written only for Educational Purposes. All the credits go to Portswigger for providing the lab. Please try and try yourself before reading this write-up. Thanks. Let’s get STARTED…

Reference: https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path

? Now press on the orange rounded “ ACCESS THE LAB ” Button

? Now we need to find a query parameter that retrieves data like static text, images, etc…?

? Let’s try and check…↓↓

? Right-click on any image and open it to a new tab

? Look carefully, the developer added a specific image location, so we will need to follow this role too. So we will also keep /var/www/images and then use the payload like the one below

? Replace ‘11.jpg’ with ‘/etc/passwd’ and hit enter

? Failed! Now add?../ before /etc/passwd and try again and repeat, After adding 3 times we got something different… ↓↓

== Payload: /var/www/images/../../../etc/passwd

? Result

? Solved

? Lab is solved, it’s like a blind way, but we need to read the data so we may use NULL BYTE after the payload, but note that it is fixed from PHP 5.3.4 to above, so it will not work, so we have an option that is using Burp Suite, let’s intercept this exact request (with filename parameter)…

? Send it to the repeater and replace the filename value with our worked payload and send the request…

? We can see the data successfully…

Congratulation My Friend.

~Thanks For?Reading~

~Have a GooD?DaY~