On this page
apsyleg1 min read
#portswigger #path-traversal #web-security
File Path Traversal: Bypassing Extension Validation with a Null Byte
Lab
File path traversal, validation of file extension with null byte bypass · Practitioner
Solution
Given
This lab contains a path traversal vulnerability in the display of product images.
The application validates that the supplied filename ends with the expected file extension.
To solve the lab, retrieve the contents of the /etc/passwd file.
Analysis and recon
Same as the previous lab, except this one validates the file extension, so we can use the "null byte" technique — %00.
Final payload
GET /image?filename=/../../../etc/passwd%00.png
We jumped to root, then cut off the read with a null byte. As a result we read /etc/passwd, and the filter is bypassed.
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.