Directory Traversal 03

This exercise is one of our challenges on Directory Traversal

< 1 Hr.


This example is based on a common problem when exploiting directory traversal: the server-side code adds its own suffix to your payload. This can be easily bypassed by using a NULL BYTE, which you need to URL-encode as `%00`. Using NULL BYTE to get rid of any suffix added by the server-side code is a common bypass and works very well in Perl and older versions of PHP.

In the provided code, the issue is simulated because PHP has had this type of bypass bug solved since version [5.3.4]( The video walkthrough covers a source code review of the exercise, showing how the server concatenates user input with a fixed value and a suffix. By injecting a NULL BYTE, attackers can bypass the suffix restriction and access arbitrary files.

Want to learn more? Get started with PentesterLab Pro! GO PRO