Penetration Testing mailing list archives
info on dir traversal techniques, any?
From: Chan Fook Sheng <chanfooksheng () pacific net sg>
Date: Mon, 03 May 2004 19:16:32 +0800
Hiam doing some security audit for a customer, and i come across a web application that accept a GET request with a parameter that I believe is a filename on the filesystem of the web server.
I am trying to get the application to display any files on the filesystem. I have ried appending %00 etc.. but to no avail.
Anyone knows of more techniques to try?How can one determine whether a web application is opening files for read, hence making it possible for directory traversal attack?
fs ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- info on dir traversal techniques, any? Chan Fook Sheng (May 03)
- Re: info on dir traversal techniques, any? H D Moore (May 04)
- Re: info on dir traversal techniques, any? Chan Fook Sheng (May 06)
- Re: info on dir traversal techniques, any? H D Moore (May 04)