Directory traversal vulnerabilities are present when a user may gain unauthorized access to files, e.g. by using path traversal operators such as ../
.
Discovery
To find directory traversal vulnerabilities on a webpage, try fuzzing query parameters, especially when the value looks like a filename. A common technique is to add ../
and ..\
to the path to traverse the server filesystem.
Also see PHP wrapper trick (php://filter
) when the trying to read files that may contain special characters (which may be misinterpreted when include()
is used).
Exploitation
To attack a directory traversal vulnerability, simply load the desired file such as /etc/passwd
. RCE is achievable when include()
is used in the source and PHP wrapper (php://filter
) can be used to load attacker-supplied plain text as a file.