Directory traversal, also called path traversal, is a security vulnerability caused by insufficient security verification of file names entered by users on the web server or web application, allowing attackers to bypass server security restrictions by using some special characters. , access any file (can be a file outside the web root directory ), and even execute system commands.
Principle
: The implementation of the program does not fully filter directory jump characters such as ../ entered by users, allowing malicious users to traverse any files on the server by submitting directory jumps.
For example: http://www.***.com/index.php?file=image.jpg
When the server processes the transmitted image.jpg file name, the web application will automatically add the full path, such as "d://site/images/image.jpg", and return the read content to the visitor.
If the program's security verification of the file name is insufficient, the attacker will use the file name of ../../../ect/passwd, resulting in access to illegal files.
The environment (cause) where the vulnerability occurs is
that the website application provides file downloads, and the files are stored on the server. The website script uses the code to obtain the directory files of this website and displays them on the website interface. If there is no relevant security verification for the code, the file directory will be Disclosure of vulnerabilities.
../../ (directory traversal)
Clicking on these two blue links will display other content
The corresponding url will also change
According to the principle of directory traversal, attackers mainly use ../ to return to the upper level directory, thus causing all directories to be exposed.
Let’s first try to add the title variable to the upper-level directory ../ (similar to file inclusion vulnerabilities..)
Construct the url as follows
http://2xxx6/vul/dir/dir_list.php?title=../../../../../../../../../etc/passwd 
You can see that the file content is read. We go up one level to the root directory, and then read the contents of /etc/passwd. The vulnerability is exploited successfully.