WebApp Sec mailing list archives
php script, traversal directory problem for file disclosure
From: "bermejator.com Messenger" <msn () bermejator com>
Date: Sat, 1 May 2010 20:25:08 +0200
Hi all, i have been working some days in this vulnerable script to file disclosure whith obfuscation technique in php. http://www.clearskies.net/documents/css-advisory-css09001-sspdirector.pdf Vulnerable script sample: http://pastebin.com/wWTc7ap7 Script take a get parameter "a" which is vulnerable to full disclosure but it have an obfuscation issue: Post data i introduce is like this: ../test,avatar-7,1440,866,2,100,5,50,50 So, after obfuscation i get my postdata like: http://localhost/p.php?a=º\Ozw9dXZ5fz9lfGp2cnYsPC47IjM5JzI0MSo7LTMiNzknPjQjJj4j If i execute debug i get: VAL: º\Ozw9dXZ5fz9lfGp2cnYsPC47IjM5JzI0MSo7LTMiNzknPjQjJj4j CRYPT: ../test,avatar-7,1440,866,2,100,5,50,50 A0: ../test FILE: test ORIGINAL:/var/www/script/albums/avatars/7/test PATH:/var/www/script/albums/avatars/7/test It's not possible for me do correct traversal path.... I tried other encoding, but no success $valor = convert("..%2Ftest,avatar-7,1440,866,2,100,5,50,50"); $valor = convert("%25%25%2Ftest,avatar-7,1440,866,2,100,5,50,50"); $valor = convert(".\"./\"test,avatar-7,1440,866,2,100,5,50,50"); ... I think, i can't break: $file = $fn = basename($a[0]); Anybody can help me? Thank you Rubén This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- php script, traversal directory problem for file disclosure bermejator.com Messenger (May 02)