On this page
apsyleg1 min read
#portswigger #path-traversal #web-security
File Path Traversal: Bypassing Blocked Traversal Sequences with an Absolute Path
Lab
File path traversal, traversal sequences blocked with absolute path bypass · Apprentice
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
The application blocks traversal sequences but treats the supplied filename as being relative to a default working directory.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis
Everything is the same as the previous lab, except this time we use absolute paths as the bypass.
Recon. Final payload
GET /image?filename=/etc/passwd
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.