The path to the file can either be relative (../../../etc) or in some more rare cases absolute (c:/windows/boot.ini). Additionally, these requests might be base64 or ROT13 encoded or sometimes encrypted. Neither is a stop get.
You might think language parameters are an odd location for directory traversal, but after talking with my co-workers*, they reminded be about dynamic file modification. Some frameworks use parameters (such as language) to prefix a directory to the request or alter the file name for the appropriate language. Ergo:
could turn into:
File.Open('/' + language '/' + some-file);
File.Open('/' + language + '.' + some-file);
If that is true, you can alter the root of a request, then use terminators to kill off the rest of what gets appended (null chars ftw) such as:
Language, template/skin name, or occasionally environment type variables (such as location=PROD, DEBUG, etc...). Anything that might be prefixed to a file name or directory to search is fair-game for that.
If you are attempting to take over the server, you should be looking to steal resources which would help you with that (such as the passwd & sam files). If you are attempting to do an involuntary code review, you should steal the source code from the pages you are looking at. There are occasionally hard coded credentials source, but application configuration files are often gold for credentials. I've found database, admin users, SMTP credentials and FTP users this way.
- Most operating systems support the use of environment variables/shortcuts for locations such as %home% or ~. This is useful to remember if there are protections against using a period or two successive periods.
- When dynamic features serve files, they often violate other protections. In IIS for instance various extensions cannot be served by the server (.config files for instance). However in most directory traversals you can pull the web.config file out w/o many problems.
- User controlled uploads often get served dynamically because there isn't a way for the server to know before-hand what the files are. You can sometimes find directory traversal here by uploading files with weird path's in their names (or renaming them after upload).
- Developers sometimes leave clues to file's physical locations in comments. I once downloaded a source for an entire site because of this.
- Image / gallery plugins for CMS's are notorious for directory traversal.
- Error messages are your friend here. If you get a system/application error instead of a file not found type error, you can at least use the mechanism to check for existence of files.
* Thanks DC & AJ