Given input:
-page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
....// in many URL parsers or path normalization functions (especially on older or misconfigured systems) collapses to ../ because:
So the effective path becomes:
-page-../../../etc/passwd
If the web application does something like:
/var/www/html/page- + user input + .html
Then the attacker might inject ../../../etc/passwd to read system files.
The attacker used -2F instead of %2F (standard URL encoding) or / directly. This could be: -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
Similar bypasses include:
On Unix/Linux systems, /etc/passwd traditionally stored user account info (username, UID, GID, home dir, shell).
Modern systems store passwords in /etc/shadow, but /etc/passwd still reveals:
Even without passwords, it is a proof-of-concept file for path traversal vulnerabilities.
A vulnerable PHP endpoint might contain: Given input: -page-
$page = $_GET['page'];
include("/var/www/html/" . $page);
An attacker submits ?page=....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd. After URL decoding, the server builds:
/var/www/html/../../../../etc/passwd → normalized to /etc/passwd.
Successful exploitation exposes sensitive system files (e.g., /etc/passwd, /etc/shadow, application config files). Combined with other flaws, it can lead to remote code execution.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Attackers use sequences like ../ to move up directories and access files outside the web root. So the effective path becomes:
-page-
Example vulnerable code (PHP):
$page = $_GET['page'];
include("/var/www/pages/" . $page . ".php");
If page=../../../etc/passwd%00 (null byte injection in older PHP), the server might read /etc/passwd.
The observed payload is:
-page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
The -page- suggests a parameter name or delimiter, while each .. escapes one directory level. The final target is /etc/passwd (a Unix file listing user accounts).