Acunetix - Web Vulnerability Scanner
[Advertise With HackThisSite.org]

Hack This Site - Forums Index

Stupid question

Discuss the many weaknesses of browser security and ways to mitigate the threat
Post a reply

Stupid question

Post by singur on Wed Jun 24, 2009 5:13 pm
([msg=25890]see Stupid question[/msg])

Is it possible to inject a null-byte/encoded hex caracter into a request filename?
Based on my tests...it seems to be impossible...but i read in some places that this is possible.
Source used for tests:
Code: Select all
<form method="POST" enctype="multipart/form-data">
    <input type="file" name="f1" />
    <input type="submit" value="send" />
</form>
<?php
echo rawurlencode($_FILES['f1']['name']);
?>

Tried to do it in many different ways...
Thanks in advance...
And...could someone please get me a real bruteforce algorithm?

Ps: brazilian dude over here...sorry for my ridiculous english.
singur
New User
New User
 
Posts: 2
Joined: Wed Jun 24, 2009 5:02 pm
Blog: View Blog (0)

Re: Stupid question

Post by thedotmaster on Mon Jul 20, 2009 8:42 am
([msg=27033]see Re: Stupid question[/msg])

Maybe you mean something like this:

Code: Select all
<?php
include($_GET['file']+'.txt');
?>


If you wanted to open .htaccess for example, script.php?file=.htaccess would try to open .htaccess.txt
A null byte is added on the end of the filename and php detects this as the end of the string.

Is that what you meant?
Image
User avatar
thedotmaster
Contributor
Contributor
 
Posts: 988
Joined: Sun May 04, 2008 4:39 pm
Location: North West UK
Blog: View Blog (1)
Post a reply

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

Disclaimer :
HackThisSite does not support illegal activities.
The management of this board is not responsible for the content of any external internet sites.
Powered by phpBB © 2000-2009 phpBB Group
Carbon Style By Echo -=Designs By Echo=- © 2007 Echo
Administration Control Panel