Sidebar

Main Menu

-page-....-2f-2f....-2f-2f....-2f-2fetc-2fpasswd Jun 2026

An attacker submits ?page=....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd . After URL decoding, the server builds: /var/www/html/../../../../etc/passwd → normalized to /etc/passwd .

: Running a web application in a chroot jail can significantly limit the damage by restricting file system access to a specific directory. -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd

The string provided— ....-2F-2Fetc-2Fpasswd —is a masked version of a file path. An attacker submits

: This is a standard Linux system file that contains user account information (usernames, IDs, home directories). It is a classic target used to prove a server is vulnerable. PortSwigger How the Attack Works -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd

Successful exploitation exposes sensitive system files (e.g., /etc/passwd , /etc/shadow , application config files). Combined with other flaws, it can lead to remote code execution.

The general format is:

  1. You are here:  
  2. Home-page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
  3. Movie "Sight"-page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
  4. -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd-page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
  5. -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd