June 22, 2022

Perform Directory Traversal by Bypassing Filters

In this tutorial, we will see how to bypass a web application filter and perform directory traversal. We will be using the unicode character "%ef%bc%8f" which translates to "/" in ASCII. The target performs normalization after the payload bypasses the WAF, therefore, allowing us to bypass the filter and perform directory traversal attack.

This and this page contains more information about this attack.

This is the main page of the web application. It has links to a monthly and a quarterly report.

Trying to download the monthly report returns this page.

The same page is returned when trying to access the quarterly report.

Trying to download the quarterly report.

Let's try to see if we can read the "/etc/passwd" file.

Trying to read the contents of the /etc/passwd file.

It redirects us to the "/filenotfound" page. The text says that a lot of input filtering is performed on the website.

Trying to access /etc/passwd results in redirection to '/filenotfound' page.

Let's try to access some page that we are sure doesn't exist.

Trying to access some page that doesn't exist.

If a page doesn't exist, the text on the page says "Not Found".

Website response to trying to accesss a page that doesn't exist.

Trying to access the '/etc/passwd' file preceded by a bunch of '../' results in the same output that says a lot of input filtering is performed.

Trying to access /etc/passwd results in a redirection to '/filenotfound' page.

This page contains some interesting unicode characters that we can use to bypass web application filters.

Web page that contains some unicode characters that allows us to bypass web filters.

Let's try to perform the directory traversal attack once more and catch the request in Burp Intercept.

Catching the directory traversal attack in Burp Intercept.

Now change the "/" characters with their equivalent unicode ones "%ef%bc%8f".

Replacing ASCII characters with their equivalent unicode ones.

The response shows the contents of the /etc/passwd file.

Response returns the contents of the /etc/passwd file.

We can also use curl to read local files on the target.

Using curl to read local files on the target.

It shows a simple Python script that can be used to read the contents of the /etc/passwd file.

Simple Python script to read the contents of the /etc/passwd file.

The script is modified to take the filename from the user.

Modifying the Python script to take the filename from the user.

I have modified the script even further to print out the filename if the file exists and copy the contents of the file into a directory called "files".

Modifying the Python script to copy the contents of the file to a local directory.

Trying to read the /etc/passwd file works.

Retrieving the /etc/passwd file using the Python script.

Let's change into the "files" directory. We can see that the /etc/passwd file has been copied into this directory.

Verifying that the /etc/passwd file has been successfully copied.

Trying to access a file that doesn't exist won't save anything to disk.

This page contains a bunch of common linux filenames to perform LFI/RFI attacks.

GitHub page that contains common filenames for LFI/RFI attacks.

Running the Python script with the payloads file in a Bash script returns the files that are present on the target.

Running the Python script with the filename payloads.

We can see that the files that were found have been copied to the "files" directory.

Found files are copied to the 'files' directory.

This is another script in Python that allows us to retrieve the contents of the remote file by prompting us for the filename. This script uses the "cmd" Python module.

Simple Python script to perform LFI/RFI attack.

We can see that it was able to read the contents of /etc/lsb-release.

Accessing the contents of the /etc/lsb-release file.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.