Waraxe IT Security Portal

d3vilbox · Beginner

sup guyz ?

There is so many dynamic pages for managing and implementing file-download (ex:download.php).

if there is no local file permission set and name of file which should be pased by dynamic page to user is passed to dynamic page by user`s request ,It`s possible to inject ../ and ... at the beggining of file name and change file name to download server side codes of dynamic pages ( ASPX,ASP,PHP etc)

Web developers filter user`s requested file-name and check if it has malicious characters ( .. or %2e%2e , etc ) or not.

there is many ways to bypass such chr-filtering :
1) ..
2) %2e%2e ( hex encoded )
3) %2e.
4) .%2e
5) / ( and hex endcoded)
6) \ ( and hex endcoded)

there is some methods at ASP.NET and ASP to bypass such filtering :

1)using %00 (null) to change signiture of threat (injected file-name)
2)encoding characters by their Unicode format ( \u## \u####,\u######)

Q : is it possible to bypass download.php?filename=[Directory traversal]
which uses # 1,2,3,4 ( but not 5,6) filtering ?

Q : why download.php?filename=[Directory traversal] changes %00 (null) to \ when using injected-path ?

Q : is Unicode encoding (\u#### etc) possible at PHP or not ?

Q: any other idea ?

Sorry 4 my bad english

PS: oh I forgot , I`m working on new method of Security-analyzing at web applications to find security-vulnerablities and i could test it on some popular PHP web portals and got some SQL-Injection and ... bugs , i need parthner to help me, there are some SQl statements which i cannot write exploit for them ( d3vilbox [a .. t] yahoo d0t com )

tnx