Path traversal

Lab: File path traversal, simple case

This lab contains a path traversal vulnerability in the display of product images.

To solve the lab, retrieve the contents of the /etc/passwd file.

打开burp，抓包看到返回图像的流量包

1	filename=1.jpg 改成 filename=../../../etc/passwd

Lab: File path traversal, traversal sequences blocked with absolute path bypass

This lab contains a path traversal vulnerability in the display of product images.

The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.

To solve the lab, retrieve the contents of the /etc/passwd file.

这次会阻止遍历，不论遍历多少次都视为默认工作目录的相对路径，所以不论遍历几层一直返回 404 。

解决方法就是直接用绝对路径来绕过

1	filename=/etc/passwd

Lab: File path traversal, traversal sequences stripped non-recursively

This lab contains a path traversal vulnerability in the display of product images.

The application strips path traversal sequences from the user-supplied filename before using it.

To solve the lab, retrieve the contents of the /etc/passwd file.

过滤了 ../，不过只是简单的替换为空，双写绕过

1	....//....//....//....//etc/passwd

Lab: File path traversal, traversal sequences stripped with superfluous URL-decode

This lab contains a path traversal vulnerability in the display of product images.

The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.

To solve the lab, retrieve the contents of the /etc/passwd file.

更严格的过滤了**../**,但是提示我们说过滤后会url解码一遍参数值，所以我们 url 双重编码 / 来绕过

1	..%252f..%252f..%252fetc/passwd

Lab: File path traversal, validation of start of path

This lab contains a path traversal vulnerability in the display of product images.

The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.

To solve the lab, retrieve the contents of the /etc/passwd file.

初始请求

1	filename=/var/www/images/1.jpg

要求用户提供的文件名以预期的基本文件夹开头， /var/www/images

1	filename=/var/www/images/../../../etc/passw

Lab: File path traversal, validation of file extension with null byte bypass

This lab contains a path traversal vulnerability in the display of product images.

The application validates that the supplied filename ends with the expected file extension.

To solve the lab, retrieve the contents of the /etc/passwd file.

00截断绕过文件名校验