In the design of web functions, we often define the files that need to be accessed as variables, so that the front-end functions can be more flexible.
When the user initiates a front-end request, the value of the requested file (such as the file name) will be passed to the background, and the corresponding file will be executed in the background.
During this process, if the background does not have strict security considerations for the values passed in from the front end, the attacker may use ".../" to make the background open or execute some other files.
As a result, the file results of other directories on the background server are traversed, forming a directory traversal vulnerability.
Seeing this, you may think that directory traversal vulnerabilities and unsafe file downloads, or even file inclusion vulnerabilities have similar meanings. Yes, the main reason for the formation of directory traversal vulnerabilities is the same as the two, both in functional design It is caused by passing the file to be operated to the background by using variables without strict security considerations, but the phenomenon displayed in the position where it appears is different. Therefore, it is still defined here separately.
What needs to be distinguished is that if you list all the files in the doc folder through a url without parameters (for example: http://xxxx/doc), in this case, we become a leak of sensitive information. It is not classified as a directory traversal vulnerability. (You can learn more about sensitive information leakage in "i can see you ABC")
You can learn more about the vulnerability through the test column corresponding to "…/…/".
directory traversal
http://192.168.80.139/pikachu/vul/dir/dir_list.php?title=../../../../1.php
