Stupid question

Discuss the many weaknesses of browser security and ways to mitigate the threat

Stupid question

Post by singur on Wed Jun 24, 2009 5:13 pm
([msg=25890]see Stupid question[/msg])

Is it possible to inject a null-byte/encoded hex caracter into a request filename?
Based on my tests...it seems to be impossible...but i read in some places that this is possible.
Source used for tests:
Code: Select all
<form method="POST" enctype="multipart/form-data">
    <input type="file" name="f1" />
    <input type="submit" value="send" />
</form>
<?php
echo rawurlencode($_FILES['f1']['name']);
?>

Tried to do it in many different ways...
Thanks in advance...
And...could someone please get me a real bruteforce algorithm?

Ps: brazilian dude over here...sorry for my ridiculous english.
singur
New User
New User
 
Posts: 2
Joined: Wed Jun 24, 2009 5:02 pm
Blog: View Blog (0)


Re: Stupid question

Post by thedotmaster on Mon Jul 20, 2009 8:42 am
([msg=27033]see Re: Stupid question[/msg])

Maybe you mean something like this:

Code: Select all
<?php
include($_GET['file']+'.txt');
?>


If you wanted to open .htaccess for example, script.php?file=.htaccess would try to open .htaccess.txt
A null byte is added on the end of the filename and php detects this as the end of the string.

Is that what you meant?
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 984
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests