Bytecod3r bytecod3r
bytecod3r
/ exploit_path_traversals_in_Java_webapps.txt
Created
July 9, 2022 16:21
— forked from harisec/exploit_path_traversals_in_Java_webapps.txt
quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| so, you can read WEB-INF/web.xml. how can you escalate this issue? | |
| [step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml. | |
| use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan): | |
| https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt | |
| with time you can build your own wordlist adding files you've discovered over time. | |
| use Burp Intruder for this, it's perfect for this job. | |
| sort Intruder results by status code so you can see instantly which files were found. |