🛠️ Directory traversal
Directory traversal (or Path traversal) is a vulnerability that allows an individual to read arbitrary files on a web server. Inputs that are not validated by the back-end server may be vulnerable to payloads such as "../../../". Using this method, an attacker can go beyond the root directory of the website, thus reaching arbitrary files hosted on the web server (
Some details are important to know beforehand.
root directory: "/"
directory separator: "/"
Windows OS' Shell':
root directory: "<drive letter>:\"
directory separator: "\" or "/"
Classic Mac OS:
root directory: "<drive letter>:"
directory separator: ":"
Files and directories are case-insensitive, so there's no need to try different payloads based on case sensitivity. Also, one has to make sure that the payloads don't use a fixed drive letter ("C:"), but more ("D:", "E:"...).
Directory traversal could lead to Remote Code Execution (RCE).
# With a request file where /?argument=TRAVERSAL (request file must be in /usr/share/dotdotpwn)
dotdotpwn.pl -m payload -h $RHOST -x $RPORT -p $REQUESTFILE -k "root:" -f /etc/passwd
# Generate a wordlist in STDOUT that can be used by other fuzzers (ffuf, gobuster...)
dotdotpwn -m stdout -d 5
Next, finding the right parameter to inject is essential. Usually, a vulnerable parameter is one that requires a file that will be fetched by the back-end server using a path (form parameters, cookies...).
Then, to construct a payload, it's interesting to have a set of important files to search:
If you can successfully retrieve one of the following files, you are at least a member of the Administrators group:
c:/documents and settings/administrator/ntuser.ini
c:/documents and settings/administrator/desktop/desktop.ini
If you can read either of these files, the file reading process has
c:/system volume information/wpsettings.dat