File path traversal, simple case | Dec 12, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: File path traversal, simple case! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab contains a file path traversal vulnerability in the display of product images.

To solve the lab, retrieve the contents of the /etc/passwd file.

Exploitation

Home page:

View-source:

<section class="ecoms-pageheader">
    <img src="/resources/images/shop.svg">
</section>
<section class="container-list-tiles">
    <div>
        <img src="/image?filename=25.jpg">
        <h3>The Lazy Dog</h3>
        <img src="/resources/images/rating2.png">
        $81.33
        <a class="button" href="/product?productId=1">View details</a>
    </div>
    <div>
        <img src="/image?filename=2.jpg">
        <h3>All-in-One Typewriter</h3>
        <img src="/resources/images/rating1.png">
        $50.04
        <a class="button" href="/product?productId=2">View details</a>
    </div>
    [...]

As you can see, the img tag’s attribute src is using a GET parameter called filename.

This might be vulnerable to path traversal!

Let’s open one of those product images:

Hmm… What if I can use the ../ to move up a directory level and try to retrieve /etc/passwd file?

To do so, I’ll intercept the request via Burp Suite:

When we move up 1 directory level, it outputs No such file. Let’s move up more directory levels until we retrieved the /etc/passwd file!

When we move up 3 directory levels, it sucessfully retrieved the /etc/passwd’s content!!

What we’ve learned:

1. File path traversal, simple case