Fw: [WEB SECURITY] ../ filtered

gaz Heyes gazheyes at gmail.com
Tue Feb 16 13:36:53 EST 2010


Try:-
.%E2%80%A9./
.%E2%80%A8./

Or maybe:-
*http://tinyurl.com/ycdkvqu*

On 16 February 2010 14:26, Beatriz Duran <beatrizdrn at yahoo.com> wrote:

>
>
> Sure I did, but the only presence of ".." is blocked;
>
>
>
>
>
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much
> of Itself With me That I can no longer call myself A man, a woman, and angel
> Or even pure Soul. Love has Befriended Hafiz so completely It has turned to
> ash And freed Me Of every concept and image My mind has ever known. –Hafiz,
> Persian poet (1315 – 1390)
>
>
> ------------------------------
> *From:* Marcin Wielgoszewski <marcinw86 at gmail.com>
>
> *To:* Beatriz Duran <beatrizdrn at yahoo.com>
> *Sent:* Tue, February 16, 2010 7:45:44 AM
> *Subject:* Re: [WEB SECURITY] ../ filtered
>
> Have you tried ....// ?  If it does a simple match and replace on ../, you
> may be able to smuggle it through that way.
>
> -Marcin
>
>
> On Mon, Feb 15, 2010 at 4:22 PM, Beatriz Duran <beatrizdrn at yahoo.com>wrote:
>
>>
>> Chris,
>>
>> Thanks, but the variable takes the data and transforms it in the
>> corresponding text by the 8859-1;
>>
>>
>>
>>
>>
>>
>>
>> I Have Learned So much from God That I can no longer Call Myself A
>> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much
>> of Itself With me That I can no longer call myself A man, a woman, and angel
>> Or even pure Soul. Love has Befriended Hafiz so completely It has turned to
>> ash And freed Me Of every concept and image My mind has ever known. –Hafiz,
>> Persian poet (1315 – 1390)
>>
>>
>> ------------------------------
>> *From:* Chris Weber <chris at casabasec.com>
>> *To:* Beatriz Duran <beatrizdrn at yahoo.com>; websecurity at webappsec.org
>> *Sent:* Mon, February 15, 2010 2:07:38 PM
>> *Subject:* RE: [WEB SECURITY] ../ filtered
>>
>>  I know you say they’re using ISO (8859-1 presumably), but there still
>> may be Unicode support internally.  I’d try these variations.
>>
>>
>>
>> Normalization compatibility forms:
>>
>> U+2024 U+2024 U+FF0F
>>
>> %E2 %80 %A4 %E2 %80 %A4 %EF %83 %BF
>>
>> ․․/
>>
>>
>>
>> Best-fit mapping Windows-1252 (similar for ISO-8859-1):
>>
>> U+FF0E U+FF0E U+2215
>>
>> %EF %BC %8E %EF %BC %8E %E2 %88 %95
>>
>> ..∕
>>
>>
>>
>> UTF-8 overlong:
>>
>> U+002E U+002E U+002F
>>
>> %C0 %AE %C0 %AE %C0 %AF%
>>
>> ../
>>
>>
>>
>>
>>
>> -Chris Weber
>>
>>
>>
>> *From:* Beatriz Duran [mailto:beatrizdrn at yahoo.com]
>> *Sent:* Sunday, February 14, 2010 11:43 PM
>> *To:* websecurity at webappsec.org
>> *Subject:* [WEB SECURITY] ../ filtered
>>
>>
>>
>> Hi, I need to find a vulnerability in a url that could be exploited for
>> directory traversal and LFI; the page is working with PHP but it is
>> filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin
>> characters I can't use unicode extended because it reinterpret with other
>> values; is there another way to work around the filter?
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100216/76cff82f/attachment.html>


More information about the websecurity mailing list