Directory Traversal in image gallery functionality
This lab demonstrates a directory traversal vulnerability in an image gallery system. The application constructs image paths by concatenating user input without proper validation, allowing access to files outside the intended directory.
Objective: Access files outside the images directory using directory traversal sequences to view system files or sensitive data.
// Handle image display request
if (isset($_GET['image'])) {
$image = $_GET['image'];
// Vulnerable: No validation of image path
$image_path = 'images/' . $image;
if (file_exists($image_path) && is_file($image_path)) {
// Display image
echo '<img src="' . $image_path . '">';
} else {
// Error: Image not found
}
}
// Example vulnerable usage:
// ?image=photo1.jpg
// ?image=../../../etc/passwd
// ?image=..\..\..\windows\system32\drivers\etc\hosts
No images available in the images directory.
imageTry these payloads in the image parameter:
../../../etc/passwd - Linux system file..\..\..\windows\system32\drivers\etc\hosts - Windows system file../../../etc/hosts - Linux hosts file../../../proc/version - Linux system info../../../etc/shadow - Linux password fileExample URLs:
2.php?image=../../../etc/passwd2.php?image=..\..\..\windows\system32\drivers\etc\hostsClick these links to test the vulnerability:
basename() to extract filename only