@Laur said:
I can’t get over the initial step. So I am using ZAP proxy to meddle with the POST requests but all I can get is list of files in the html/ directory and there are no user.txt files there that everybody is talking about. So how am I suppose to use the fileRead.php and to read what? Also I cant traverse beyond the parent directory. I appreciate any tips how to get past this.
Yes you can. What helped me is writing down what the script is looking for and removing. Remember, it only removes certain parts.
How to Bypassing Filter to Traversal Attacks ? | Hacking & Tricks has some good tips for this part.
Also, burp suite is very useful for this over ZAP