Basic Bypass

Non-recursive path traversal filters

  • one of the most basic defences is a search and replace filters to simply delete substrings of (../) to avoid path traversals

  • $language = str_replace('../', '', $_GET['language]);

  • This filter does not recursively remove the ../ substring, as it runs a single time on the input string and does not apply the filter on the output string

  • we can use ....// as our payload and the filter would only remove ../ leaving ../ behind.

  • we could also use

    • ..././

    • ....\/

    • ....////

Encoding

  • some web filters may prevent input filters that include certain LFI-related characters, like a dot . or a slash / used for path traversal

  • these filters can sometimes be bypassed by encoding our input

  • Core PHP filters on version 5.3.4 and earlier were specifically vulnerable to this bypass, it can also work on newer versions occasionally

  • we can URL encode ../ into %2e%2e%2f

  • URL encoding can be done on any online encoder

  • burp decoder can be used to double encode strings to bypass other filters

Approved Paths

  • Some applications may use Regex to ensure that the file being included is under a specific path

  • To find approved paths, examine the requests sent by the existing form to see what paths they use

  • we can also fuzz web directories under the same path or try different ones until we get a match

  • to bypass this use the accepted directory then use ../ to go back to root

Appended Extension

  • Some web apps append an extension to our input string

PreviousLFINextAuthentication Bypass

Last updated