Search
Member List
Calendar
Help
Sup everyone, currently doing all the Portswigger's labs to prepare for a certification. Im doing all the labs so it will be plenty of repetation like this, anyways hope you enjoy and that i help someone out.
So if we consider a web app showing some images the HTML would look like something like this: <img src"/loadimage?filename=image.png">. The img src takes a filename & returns the image using a filesystem API.
The default image location is in /var/www/images/ so if there is no firewall rule stopping us from jumping directorys we could read arbitrary files. ../ means to jump one directory forward (abit like in breaking parser logic), so if we would input ../../../ it means we would be in the root directory basically skipping /var/www/images/.
So only for PoC we could write https://vuln.com/loadimage?filename=../../../etc/passwd in the URI and we would be able to read /etc/passwd. For a windows server this would be https://vuln.com/loadimage?filename=..\....ws\win.ini.
Some ways of circumventing the firewall rules if poorly written we could for example try to use the absolute path which would be filename=/etc/passwd or trying a nested traversal sequence like ....// or .... \/ which would strip out the middle and leave ../ left.
In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request (no character will be encoded), web servers may strip any directory traversal sequences before passing your input to the application. You can try with URL encoding or double URL encoding which would be %2e%2e%2f or %252e%252e%252f. There are also some non-standard encodings like ..%c0%af or ..%ef%bc%8f may work.
Some web apps require that the URL starts with /var/www/images so for example filename=/var/www/images/../../../etc/passwd[B] could also get you bypassed.
If the web app require that the user input ends with a expected file format for example .png you might be able to bypass this with a null byte which would be [B]https://vuln.com/loadimage?filename=../../../etc/passwd%00.png
(The posting keeps fucking soome code up so here is for full correct code https://pastebin.com/gFuU4Xrv)
EDIT: Found a neat way of bypassing this today in burp repeater the GET parameter should be: image.php?=php://filter/convert.base64-encode/resource=/etc=passwd and then you go to your terminal and echo -n (retrived base64 code) | base64 -d to decrypt the file.
For the exact code: https://pastebin.com/d57U5knZ
-Admin/0xgh64
So if we consider a web app showing some images the HTML would look like something like this: <img src"/loadimage?filename=image.png">. The img src takes a filename & returns the image using a filesystem API.
The default image location is in /var/www/images/ so if there is no firewall rule stopping us from jumping directorys we could read arbitrary files. ../ means to jump one directory forward (abit like in breaking parser logic), so if we would input ../../../ it means we would be in the root directory basically skipping /var/www/images/.
So only for PoC we could write https://vuln.com/loadimage?filename=../../../etc/passwd in the URI and we would be able to read /etc/passwd. For a windows server this would be https://vuln.com/loadimage?filename=..\....ws\win.ini.
Some ways of circumventing the firewall rules if poorly written we could for example try to use the absolute path which would be filename=/etc/passwd or trying a nested traversal sequence like ....// or .... \/ which would strip out the middle and leave ../ left.
In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request (no character will be encoded), web servers may strip any directory traversal sequences before passing your input to the application. You can try with URL encoding or double URL encoding which would be %2e%2e%2f or %252e%252e%252f. There are also some non-standard encodings like ..%c0%af or ..%ef%bc%8f may work.
Some web apps require that the URL starts with /var/www/images so for example filename=/var/www/images/../../../etc/passwd[B] could also get you bypassed.
If the web app require that the user input ends with a expected file format for example .png you might be able to bypass this with a null byte which would be [B]https://vuln.com/loadimage?filename=../../../etc/passwd%00.png
(The posting keeps fucking soome code up so here is for full correct code https://pastebin.com/gFuU4Xrv)
EDIT: Found a neat way of bypassing this today in burp repeater the GET parameter should be: image.php?=php://filter/convert.base64-encode/resource=/etc=passwd and then you go to your terminal and echo -n (retrived base64 code) | base64 -d to decrypt the file.
For the exact code: https://pastebin.com/d57U5knZ
-Admin/0xgh64