From: H D Moore (sflistdigitaloffense.net)
Date: Tue May 04 2004 - 04:19:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 03 May 2004 06:16, Chan Fook Sheng wrote:
> I am trying to get the application to display any files on the
> filesystem. I have ried appending %00 etc.. but to no avail.
> Anyone knows of more techniques to try?

For ASP scripts that pass user input directly into the FileSystemObject,
you can use unicode tricks to perform a directory traversal. This nice
thing about this attack is that there is no easy defense in the ASP
language; Microsoft's own "secure" ShowCode.asp was vulnerable to this
type of flaw. A sample traversal would look like:

somebustedcode.asp?mahfile=%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afboot.ini

> How can one determine whether a web application is opening files for
> read, hence making it possible for directory traversal attack?

Try passing a variety of invalid names and look for a difference in the
returned error message. Using file names with reserved device names may
return a non-standard response, same goes for files which contain bytes
that are illegal in a file name...

-HD

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]