Re: Directory Traversal on File Upload




In regards to the .htaccess suggestion, I tried uploading my own one with the
following:

AllowOverride All
AddType application/x-httpd-php5 .htm .html .php .blog .comment .inc
DirectoryIndex try.php
Options +Indexes +MultiViews +FollowSymlinks
allow from all

but still no luck. I'm now questioning whether or not my file is actually
being uploaded too (it might just be a bug in the code that always says the
file has been uploaded). Even if i try to access a file that doesn't exist
such as "/thisfiledoesntexist.php" i still get the 502 error message which
is what is making me question whether the upload worked.

Could you elaborate more on how you would do your first suggestion. Because
this has crossed my mind I struggled to make it work. My javascript
injections didn't seem to work and i think this was because the form field
type is "file". And also, the file is local on my machine so is it meant to
look like "../C:/blah/blah/blah.php"?


Adam Mooz wrote:

Out of curiosity, have you tried setting the upload path to
"./../hostile.script", or "../hostile.script"? Or uploading your own
.htaccess file to override the noexec directive?


--
View this message in context: http://old.nabble.com/Directory-Traversal-on-File-Upload-tp32171687p32177175.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: WebExplorer as Perl-CGI
    ... >> DirectoryIndex in that directory, then the server will ... > But I also want users to be able to upload files and I assume that ...
    (comp.lang.perl.misc)
  • Re: Web App Script Capture
    ... In fact, with this particular app, I am able to upload arbitrary files ... However, since it is an open source app, I took a "short cut" by looking at the ... work-around for that problem (stealing source code). ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Directory Traversal on File Upload
    ... have access to a file upload facility which allows me to upload a php file ... as there are no checks on the file type but the php file goes into an image ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: ColdFusion 8 w/ FCKEditor
    ... Is there something that could be done in case of the upload folder is ... I got this response from server: ... I could access /userfiles/file/teste.asp and got the asp script executed. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • RE: Directory Traversal on File Upload
    ... Directory Traversal on File Upload ... have access to a file upload facility which allows me to upload a php file ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)