On this page
apsyleg1 min read
#portswigger #path-traversal #web-security
File Path Traversal: Non-Recursive Stripping of Traversal Sequences
Lab
File path traversal, traversal sequences stripped non-recursively · Apprentice
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
The application strips path traversal sequences from the user-supplied filename before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis and recon
Same as the previous lab, except this time the app removes ../ but not recursively.
Final payload
GET /image?filename=....//....//....//etc/passwd
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.