Directory Traversal Bypass: Folder/File Input

TL;DR

This guide shows how to bypass directory traversal filters when an application takes folder and file names as separate inputs. Standard filters often check for ‘..’ but fail when these are split across the two input fields.

Solution Guide

1. Understand the Problem: Many web applications allow users to upload or access files within a specific directory structure. To prevent malicious access, they implement directory traversal filters. These filters typically look for sequences like ‘..‘ (dot dot slash) which are used to navigate up one level in the file system. However, if the application accepts folder and filename as separate inputs, these checks can be bypassed.

2. Identify Separate Inputs: Look for forms or API endpoints where you provide both a directory path and a filename separately. For example:
   • Folder Path:
   • Filename:
3. Craft the Payload: The key is to split the ‘..‘ sequence across the folder and file inputs. Here are some common examples:
   • Folder Input: ../../
   • Filename Input: file.txt

   This results in a combined path of ../../file.txt, which traverses up two directories.

4. Test with Different Combinations: Filters can vary. Try these variations:
   • Folder Input: ..%2f (URL encoded dot slash)
   • Filename Input: file.txt
   • Folder Input: ../
   • Filename Input: file.txt
   • Folder Input: ../../etc/passwd
   • Filename Input:

   The last example attempts to directly access a sensitive file if the filter only checks the filename.

5. URL Encoding: Sometimes, filters decode URL-encoded characters before checking. Try encoding parts of your payload:
   • Folder Input: %2e%2e/
   • Filename Input: file.txt

   This is the URL encoded version of ‘..‘.

6. Case Sensitivity: Some systems are case-sensitive. Test with variations like:
   • Folder Input: ../
   • Filename Input: file.txt
   • Folder Input: ..%2f
   • Filename Input: File.txt
7. Double Encoding: In rare cases, double encoding might bypass filters:
   • Folder Input: %252e%252e/ (double URL encoded ‘..‘)
   • Filename Input: file.txt
8. Null Byte Injection (%00): If the application uses older technologies, a null byte might terminate the string prematurely:
   • Folder Input: ../../%00
   • Filename Input: file.txt

   This could truncate the folder path after ‘..‘, potentially bypassing checks.

9. Path Normalization Issues: Some applications might not properly normalize paths before accessing files. Try using absolute paths:
   • Folder Input: /var/www/html/../../
   • Filename Input: file.txt

   This attempts to force the application to resolve the path from the root directory.

10. Check for Filter Logic Errors: Sometimes, filters are poorly implemented and allow unexpected characters or combinations. Experiment with different payloads to identify weaknesses.