ディレクトリトラバーサル チートシート

ディレクトリトラバーサル・パストラーバサルの脆弱性があるウェブサイトは非公開のファイルが外部へ漏洩します。
ログイン後ページにこの脆弱性がある場合は、攻撃者はアカウント取得が必要になるため、ツールなどによるランダム攻撃で検出される危険性は低くなります。

ブラウザからファイル名をウェブサーバーが取得して、指定されたファイルをブラウザに返したり、情報を表示する機能があったとします。
この時、サーバーへ渡すファイル名を攻撃者が改ざんすることで、非公開のファイルへアクセスできてしまう場合があります。
アクセスできるファイルはウェブサーバーの権限によって制限を受けますが、重要なファイルへアクセスできた場合、重大なインシデントになってしまいます。

下記ファイル名は一般的に取得される可能性があるファイル名の一覧です。

対策としてブラウザから取得するファイル名の文字チェックを適切に行い、../や..\は受け付けないなどのチェック処理をサーバー側で行います。

Linux系のディレクトリトラバーサルで取得するファイル候補リストです。
/.atfp_history
/.bash_history
/.bash_logout
/.bash_profile
/.bashrc
/.gtkrc
/.login
/.logout
/.mysql_history
/.nano_history
/.php_history
/.profile
/.ssh/authorized_keys
/.ssh/id_dsa.pub
/.ssh/id_dsa
/.ssh/id_rsa.pub
/.ssh/id_rsa
/.ssh/identity.pub
/.ssh/identity
/.viminfo
/.wm_style
/.Xdefaults
/.xinitrc
/.Xresources
/.xsession
/etc/aliases
/etc/anacrontab
/etc/apache/apache.conf
/etc/apache/httpd.conf
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-available/default
/etc/apache2/vhosts.d/default_vhost.include
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/group
/etc/groups
/etc/grub.conf
/etc/hosts.allow
/etc/hosts.deny
/etc/hosts
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/init.d/apache
/etc/init.d/apache2
/etc/inittab
/etc/issue
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/modules.conf
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/passwd
/etc/php.ini
/etc/php/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/cgi/php.ini
/etc/php/php.ini
/etc/php/php4/php.ini
/etc/php4.4/fcgi/php.ini
/etc/php4/apache/php.ini
/etc/php4/apache2/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache/php.ini
/etc/php5/apache2/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/security/environ
/etc/security/group
/etc/security/limits
/etc/security/passwd
/etc/security/user
/etc/shadow
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/sshd_config
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/home/apache/conf/httpd.conf
/home/apache/httpd.conf
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/apache/conf/httpd.conf
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cmdline
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/sched_debug
/proc/self/cwd/index.php
/proc/self/cwd/main.py
/proc/self/environ
/proc/self/net/arp
/proc/stat
/proc/swaps
/proc/version
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/lib/security/mkuser.default
/usr/local/apache/audit_log
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache2/conf/httpd.conf
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php/httpd.conf.ini
/usr/local/php/httpd.conf
/usr/local/php/lib/php.ini
/usr/local/php/lib/php.ini
/usr/local/php4/httpd.conf.php
/usr/local/php4/httpd.conf
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf.php
/usr/local/php5/httpd.conf
/usr/local/php5/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/apache2/config.inc
/var/cpanel/cpanel.config
/var/htmp
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/apache/access_log
/var/log/apache/error_log
/var/log/apache2/access_log
/var/log/apache2/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/auth.log
/var/log/boot
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog
/var/log/exim.paniclog
/var/log/exim/mainlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/ftplog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl_log
/var/log/httpsd/ssl.access_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/mail.warn
/var/log/maillog
/var/log/message
/var/log/messages
/var/log/sshd.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql-slow.log
/var/log/mysql/mysql.log
/var/log/mysqlderror.log
/var/log/proftpd
/var/log/pure-ftpd/pure-ftpd.log
/var/log/pureftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/secrets/kubernetes.io/serviceaccount
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/access.log
/var/www/logs/error_log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa.pub
~/.ssh/id_dsa
~/.ssh/id_rsa.pub
~/.ssh/id_rsa
~/.ssh/identity.pub
~/.ssh/identity
~/.ssh/known_hosts
~/.ssh/id_rsa.keystore
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
Windows系のディレクトリトラバーサルで取得するファイル候補リストです。
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/Documents and Settings/Administrator/NTUser.dat
c:/inetpub/logs/logfiles
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php/php.ini
C:/php4/php.ini
C:/php5/php.ini
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml
C:/Users/Administrator/NTUser.dat
C:/Windows/debug/NetSetup.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/security
C:/Windows/repair/software
C:/Windows/repair/system
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/software
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log