Penetration Testing mailing list archives

Re: LFI with limitation

From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Sun, 23 May 2010 11:42:00 +0630

I've tried all. All such encoding attacks are blocked by mod_security
or some firewalls, issuing Not Acceptable message.

On Sat, May 22, 2010 at 4:47 AM, Ulisses Castro <uss.thebug () gmail com> wrote:

%2500 ? %252500?

my two cents,

Ulisses Castro

On Fri, May 21, 2010 at 7:00 AM, Jacky Jack <jacksonsmth698 () gmail com>
wrote:


Hi

A URL is vulnerable to LFI but it's removing/stripping null character.


So, are there any ways to bypass it?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

LFI with limitation Jacky Jack (May 21)
- Re: LFI with limitation Danux (May 24)
- Re: LFI with limitation Paul Melson (May 24)
- Message not available
  - Re: LFI with limitation Jacky Jack (May 24)