This can be used to expose files on a server that should normally not be publicly accessible, such as configuration files. All it takes is setting up a malicious server and submitting a request to it via a web browser. The following request would be redirected to /etc/passwd on the remote server: The response of the server would then be: Now, if an end user were to follow the link and access /etc/passwd on the remote server, they would receive the password for the root account. Directory traversal can be used in two different ways: To simply list the contents of a directory on a remote server.
To create a symbolic link from the root directory of your local system to a remote system.
Basic directory traversal
GET / HTTP/1.1
Host: www.someserver.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100122 Firefox/3.6 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Referer: http://www.doubleclickbybusymanycoboyzorobiesdotcom/?pagetype=web_page&id=399a4d7a8bbcb945bfbefb4f37b2cd89&destination=http%3A%2F%2Fwww%2Esomeserver%2Ecom &referrertosupport&mm&xid=236ca87fce79e7ec8da49de916bd7f21
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1) Gecko/20100101 Firefox/10
Listing the contents of a directory
If the directory traversal is performed using a URL with the hostname of the remote server, it will list files in a directory without prompting for authentication. For example, if you are browsing your local system’s home directory on your localhost and you want to browse another user’s home directory on the remote server, you would visit https://remote.example.com/~username and find all of the files in that users home directory.
List the contents of a directory on a remote system
To list the contents of a directory on a remote server, simply send the following HTTPS request to the remote server. The response will be a list of all files in the directory:
To create a symbolic link from the root directory of your local system to a remote system, simply send the following HTTPS request to the remote server. The response will be an empty file:
Timeline
Published on: 08/27/2022 21:15:00 UTC
Last modified on: 09/01/2022 19:37:00 UTC