Re: info on dir traversal techniques, any?

From: H D Moore (sflist_at_digitaloffense.net)
Date: 05/04/04

  • Next message: Teicher, Mark (Mark): "RE: Kernel sec. systems WAS: Why eEye Retina (was MBSA scanner)"
    To: pen-test@securityfocus.com
    Date: Tue, 4 May 2004 04:19:24 -0500
    
    

    On Monday 03 May 2004 06:16, Chan Fook Sheng wrote:
    > I am trying to get the application to display any files on the
    > filesystem. I have ried appending %00 etc.. but to no avail.
    > Anyone knows of more techniques to try?

    For ASP scripts that pass user input directly into the FileSystemObject,
    you can use unicode tricks to perform a directory traversal. This nice
    thing about this attack is that there is no easy defense in the ASP
    language; Microsoft's own "secure" ShowCode.asp was vulnerable to this
    type of flaw. A sample traversal would look like:

    somebustedcode.asp?mahfile=%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.ini

    > How can one determine whether a web application is opening files for
    > read, hence making it possible for directory traversal attack?

    Try passing a variety of invalid names and look for a difference in the
    returned error message. Using file names with reserved device names may
    return a non-standard response, same goes for files which contain bytes
    that are illegal in a file name...

    -HD

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------


  • Next message: Teicher, Mark (Mark): "RE: Kernel sec. systems WAS: Why eEye Retina (was MBSA scanner)"

    Relevant Pages

    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Any reason not to use strcpy, strcat or scanf?
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: New Trojan?
      ... > Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • RE: Wireless access
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: antivirus for linux
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)