table of Contents
1. A joyous breakthrough
page 2
This pass requires a file to be transferred to the directory C:\Users\Administrator\.webgoat-8.1.0\PathTraversal
The file transfer point is the round head, which is theoretically used to upload the user's avatar. I got a handsome photo of Xiaobai from Baidu Pictures and uploaded it to see what effect it was.
It can be seen from the above figure that the file is named after the value of Full Name after uploading and is stored in the folder C:\Users\Administrator\.webgoat-8.1.0\PathTraversal\fancyele, which is one level more directory fancyele than our target path.
Then you can try to change the Full Name to ../xiaobai.jpeg , and then click update, so that you can upload this picture to the parent folder PathTraversal
Page 3
The requirements for this pass are the same as the previous pass, a file must be transferred to the directory C:\Users\Administrator\.webgoat-8.1.0\PathTraversal.
But the prompt../ will be deleted.
Seeing the deletion, I immediately thought of bypassing the double writing, and constructing the double writing../ payload at the Full Name: ..././baibai.jpeg
Clearance~
Page 4
It is still required to transfer a file to the directory C:\Users\Administrator\.webgoat-8.1.0\PathTraversal.
But after uploading a few handsome photos in vain at this level (the Full Name is different each time), I found that the file name stored on the server is fixed and has nothing to do with the value of the Full Name.
Then it is possible that the loophole point in this level is not in Full Name. But after trying to modify Email and Password, the file name after upload remains unchanged. I am afraid that the vulnerability is not in the visible part of the webpage.
The proxy module of burpsuite finds the package that submitted this request, send to repeater
Add haha in front of the filename value in the request packet, and haha in front of the file name in the response packet. It seems that the possible loophole in this question lies in filename.
Construct payload: filename=" ../bjt.jpeg "(or directly add ../ in front of the previous Chinese file name)
Clearance~
Page 5
This level requires finding a file named path-traversal-secret.jpg.
First click the show random cat picture button, burpsuite captures the packet
The captured message looks like the following, the MIME type is script, and there are no parameters. Send the captured message to repeater.
Resend it in the repeater and find that the Location in the response message has the parameter id=4.jpg
Like the following figure, add ?id=1.jpg after random-picture . After sending the message, it responds with 404 Not Found. It is found that the file name searched by the server has .jpg after the id value. So if you want to view the content of 1.jpg, you should add ?id=1 after random-picture
Next, you can try adding after random-picture ? id=path-traversal-secret
The result returned 400 Bad Request
Try again to add after random-picture ? id=../path-traversal-secret
400 Bad Request is also returned, and it prompts that there are illegal characters in the request parameters
Change the ../ in the above payload to %2e%2e%2f (url encoding of../)
It still returns 400 Bad Request, but no illegal characters are prompted.
Then look at the upper level directory, ?id=%2e%2e%2f%2e%2e%2f path-traversal-secret
Judging from the returned results, the file you are looking for has been found.
The SHA-512 hash that prompts the user name is the answer to this question
Search the Internet for SHA512 online, and then perform SHA512 hash on the username
Fill in the results obtained in the input box behind the small flag, submit secret to pass this level
2. Simple brain map
