PHP

Path Traversal with weak protection mechanism

drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Path traversal with weak protection mechanism

Found a way to escape the /tmp/files/notes/ directory and access arbitary files on the vulnerable application!

Goal

Capture the flag! The flag can be found in the file: /tmp/secret/flag.txt

Hints

Hint #1
expand_more

How many times is the pattern actually replaced?

Solution

Read the solution
expand_more

The application removes all dot-dot-slash patterns (../) in the user input to prevent path traversal. However, it do not check if a dot-dot-slash pattern remains after the first replacment. This makes it vulnerable to a path traversal. The attacker can use a nested dot-dot-slash pattern (..././) to escape the intended folder structure and access the flag file stored in the secret folder.

Payload:

..././..././secret/flag.txt
drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result