Path Traveler vulnerability in Cab Booking Script (PHP-Script-Mall): [CVE-2019-9064]

Vulnerability Description: The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

How to Exploit:=>

1. Go to the site (
↓ ↓ ↓ ↓

2. Open Burpsuit then intercept and spider the data.
↓ ↓ ↓ ↓

3. Now use the burp search option and search jpg or png
↡ ↡ ↡ ↡

4. Now pick any link and select show response in the browser
↡ ↡ ↡ ↡

5. Then delete the last part of URL [after last forward slash] (
↡ ↡ ↡ ↡

6. You will get all The file lists (Directory listing)
↡ ↡ ↡ ↡


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

Create your website at
Get started
%d bloggers like this: