Lab Info

๐Ÿ” Vulnerability:

This lab contains a path traversal vulnerability in the display of product images.

โš ๏ธ The application blocks traversal sequences like ../

However, it treats the supplied filename as relative to a default working directory.

๐ŸŽฏ Goal

Retrieve the contents of the file:

/etc/passwd

๐Ÿชœ Steps to Solve

  1. ๐Ÿ” The lab contains a directory traversal vulnerability, butโ€ฆ
  2. ๐Ÿšซ It blocks the traditional traversal characters (../).
  3. ๐Ÿ’ก Instead, we provide the absolute path directly.

๐Ÿงช Final Payload

<https://0a0000dd04bcfab0830f0501000c0070.web-security-academy.net/image?filename=/etc/passwd>

๐Ÿ› ๏ธ Interception & Execution

๐Ÿ“ก Use Burp Suite to intercept the request.

โœ๏ธ Modify the filename parameter in the intercepted request and send it.

๐Ÿ“„ The contents of /etc/passwd will be displayed

image.png