https://blog.s4yhii.com/tags/lfi/ Recent content in Lfi on s4yhii's blog https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E https://blog.s4yhii.com/%3Clink%20or%20path%20of%20image%20for%20opengraph,%20twitter-cards%3E Hugo -- 0.155.3 en-us Tue, 10 May 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-05-10-directory-path-traversal/ Tue, 10 May 2022 12:00:00 -0400 https://blog.s4yhii.com/posts/2022-05-10-directory-path-traversal/ <p>Also known as file path traversal allows to read arbitrary files on the servers. in some cases an attacker might be able to write arbitrary files on the server, allowing them to modify application data or behavior.</p> <h1 id="reading-arbitrary-files-via-directory-traversal">Reading arbitrary files via directory traversal</h1> <p>We can use the <code>..</code> characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.</p> <p>For example the url takes a filename parameter and returns the content of the file, the aplicaciones appends the requested filename to this base directort and uses an API to read the contents, so the application implements no defenses against directory traversal attacks,so an attacker can request the following URL to retrieve an arbitrary file from the server&rsquo;s filesystem:</p>