Penetration Testing mailing list archives
Re: info on dir traversal techniques, any?
From: Chan Fook Sheng <chanfooksheng () pacific net sg>
Date: Thu, 06 May 2004 15:44:56 +0800
I assume you are using Unicode UTF-8 right?I tried http://client/file.asp?File=../../../../../../../../../winnt/system32/vga.drv system.drv
but I still got a normal page, but no content in the main frame. I use Paros proxy, and I can't see any error pages in the htp response at all, all requests are responded by HTTP 200 OK.
It seems to me there is no sure way to know if they are using FileSystemObject or not, am I right? What I can do is to try all possible techniques, and if there is no positive results, I should look for something more interesting, am I right to say that?
"files which contain bytes that are illegal in a file name" care to quote some examples? H D Moore wrote:
On Monday 03 May 2004 06:16, Chan Fook Sheng wrote:I am trying to get the application to display any files on the filesystem. I have ried appending %00 etc.. but to no avail. Anyone knows of more techniques to try?For ASP scripts that pass user input directly into the FileSystemObject, you can use unicode tricks to perform a directory traversal. This nice thing about this attack is that there is no easy defense in the ASP language; Microsoft's own "secure" ShowCode.asp was vulnerable to this type of flaw. A sample traversal would look like:somebustedcode.asp?mahfile=%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.iniHow can one determine whether a web application is opening files for read, hence making it possible for directory traversal attack?Try passing a variety of invalid names and look for a difference in the returned error message. Using file names with reserved device names may return a non-standard response, same goes for files which contain bytes that are illegal in a file name...-HD ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- info on dir traversal techniques, any? Chan Fook Sheng (May 03)
- Re: info on dir traversal techniques, any? H D Moore (May 04)
- Re: info on dir traversal techniques, any? Chan Fook Sheng (May 06)
- Re: info on dir traversal techniques, any? H D Moore (May 04)