A3:2021 | Path Transversal (5) | Cycubix Docs
Retrieving other files with a path traversal
Path traversals are not limited to file uploads; when retrieving files, it can be the case that a path traversal is possible to retrieve other files from the system. In this assignment, try to find a file called path-traversal-secret.jpg
Solution
- Hint: Can you specify the image to be fetched?. Look at the location header…Use /random?id=1 for example to fetch a specific image. Use /random/?id=../../1.jpg to navigate to a different directory. ‘..’ and ‘/’ are no longer allowed, can you bypass this restriction?. Use url encoding for ../ to bypass the restriction.
- Open Zap or Burp Interceptor. Then in WebGoat hit on “Show Random cat picture”.
- The request and response looks like this:
With ZAP
-
It could happen that you see the request with the following path:
GET http://localhost:8080/WebGoat/images/cats HTTP/1.1
In that case, go into the developer tools and check the path.
- In that case, find the request the correct request.
- See if you can edit the request according to this path to see if we can manipulate the request:
/PathTraversal/random-picture?id=../../
- Since ../ is illegal, we can try to encode it as URL with ZAP decoder. In the case of ZAP, to decode you need to go to Tools/Encode-Decode-Hash.
Example in Zap Decoder
- We then replace the encoded value with an alternative encoded value for id=%2e%2e%2f%2e%2e%2fpath-transversal-secret
- The system could now process the request.
- We have now find the path to the files. Let’s go ahead and find the file provided in the exercise “path-traversal-secret.jpg”. Change the request.
- See the answer. Make sure you selected “text” in the body request. If not you will not see the reply.
.png)
- Getting your SHA-512
Go to https://sha512.online/ and imput a string with your username for WebGoat.
It will generate a HASH. Submit the secret answer.
