Re: info on dir traversal techniques, any?

[H D Moore <sflist () digitaloffense net>]

On Monday 03 May 2004 06:16, Chan Fook Sheng wrote:
> I am trying to get the application to display any files on the
> filesystem. I have ried appending %00 etc.. but to no avail.
> Anyone knows of more techniques to try?

For ASP scripts that pass user input directly into the FileSystemObject, 
you can use unicode tricks to perform a directory traversal. This nice 
thing about this attack is that there is no easy defense in the ASP 
language; Microsoft's own "secure" ShowCode.asp was vulnerable to this 
type of flaw. A sample traversal would look like:

somebustedcode.asp?mahfile=%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.ini

> How can one  determine whether a web application is opening files for
> read, hence making it possible for directory traversal attack?

Try passing a variety of invalid names and look for a difference in the 
returned error message. Using file names with reserved device names may 
return a non-standard response, same goes for files which contain bytes 
that are illegal in a file name...

-HD


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------