Vulnerability Development mailing list archives
iis 5 %00 null weirdness
From: "wirepair" <wirepair () roguemail net>
Date: Thu, 11 Dec 2003 11:15:38 -0800
lo all, While playing with IIS I was messing around with the old school webhits vuln, i tried injecting some null characters to see how it would respond. To my surprise I all of a sudden got the web page I requested, (not the source just the page). But the images were all broken, this obviously piqued my interested so i viewed the info of the page. When requesting an asp page (or aspx), such as http://iisserver/iisstart.asp%00/%00/%00/ you'll notice the image file now contains the path: http://iisserver/iisstart.asp%00/%00/%00/pagerror.gifAny link from the asp page requested will have the null bytes injected into its path. It isn't just nulls either you can basicalyl (after the first one) inject any string:
http://iisserver/iisstart.asp%00/%2e%2e/ Shows the broken image as having the path: http://iisserver/iisstart.asp%00/%2e%2e/pagerror.gif Now i assume this isn't normal behaviour but my questions are: A. Why is this happening?and B. Is there anyway we can take advantage of this?
I tried the obvious stuff like movign the pagerror.gif outside the webroot, and it still showed up as a broken image so i assume the %00 is causing the %2e%2e to not *actually* break the web root. Any thoughts folks? -wire Everyone has a plan until they get hit. -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- iis 5 %00 null weirdness wirepair (Dec 12)