## https://sploitus.com/exploit?id=4CAB4028-4A86-5089-BE93-2F228715665F
# PortSwigger Lab: File Path Traversal (Non-Recursive Strip Bypass)
This repository contains a Python script designed to solve the third PortSwigger Web Security Academy lab on Directory Traversal: **File path traversal, traversal sequences stripped non-recursively**.
## Understanding the Vulnerability
In an attempt to prevent directory traversal, developers will sometimes implement filters that search for and remove dangerous sequences like `../` from user input.
However, if this sanitization process is implemented **non-recursively** (meaning it only makes a single pass over the string to remove the characters), it can be easily bypassed using nested traversal sequences.
### How it Works
When a defense mechanism simply uses a basic replace function (e.g., `input.replace("../", "")`), an attacker can craft a payload where the removal of the filtered string actually *creates* the filtered string.
If the attacker sends `....//`:
1. The filter detects the inner `../` and strips it out.
2. The remaining characters (`..` and `/`) collapse together.
3. The resulting string evaluates to a fresh, valid `../`.
By requesting `/image?filename=....//....//....//etc/passwd`, the server strips out the nested sequences, inadvertently transforming the input into `../../../etc/passwd`, allowing the attacker to traverse the file system.
---
## How the Exploit Script Works
This script automates the nested sequence bypass. Here is a breakdown of its core components:
* **Proxy Configuration:** Traffic is routed through `http://127.0.0.1:8080`, allowing for easy request interception and debugging in Burp Suite.
* **SSL Warning Suppression:** `urllib3.disable_warnings()` keeps the terminal output clean by hiding insecure request warnings caused by the local proxy.
* **The Payload:** The `exploit(url)` function crafts the malicious URL by appending `/image?filename=....//....//....//etc/passwd`. The nested sequences `....//` successfully bypass the server's single-pass sanitization filter.
* **Verification:** The script sends a GET request and searches the response text for `root:x`. If this string is found, it confirms the `/etc/passwd` file was successfully retrieved.
---
## Usage
### Prerequisites
* Python 3.x
* `requests` library (`pip install requests`)
* An active PortSwigger Web Security Academy lab instance.
### Running the Script
Pass the base URL of your active PortSwigger lab as a command-line argument. Do not include a trailing slash.
**Syntax:**
```bash
python exploit.py