info :
This lab contains a path traversal vulnerability in the display of product images.
The application transmits the full file path via a request parameter, and validates that the supplied path starts with the expected folder.
Goal :
To solve the lab, retrieve the contents of the /etc/passwd file.
This lab contains a file path traversal vulnerability in how the application handles image filenames. The application expects the user-supplied file path to start with a specific directory:
/var/www/images
The goal is to read the contents of the /etc/passwd file.
The application checks that the value of the filename parameter starts with /var/www/images. However, it does not properly sanitize the rest of the path, allowing an attacker to add traversal sequences after the expected base path.
To bypass the check, we include the required base directory in the input, followed by ../ sequences that move us up the directory tree.
/var/www/images/../../../etc/passwd
Explanation:
/var/www/images/ satisfies the prefix check.