Thread subject: Security Override :: Adv#4

Posted by letm on 04/05/2013 19:48:26
#1

hai ppl what file need to include?
/etc/passwd ?

Posted by CrashOverron on 04/05/2013 23:42:37
#2

sorry there was a piece commented out in adv3 that says where the file was uplaoded not sure why it was commented

Posted by wiser on 04/06/2013 04:29:16
#3

Actually the hint was already displayed now we can see it twice ;)

Posted by Asch on 04/12/2013 07:12:32
#4

Hi everone,

I think I am not so far from the solution. I get the message :
"uploads/5p0il3r.jpg cannot be found."

So I think I have correctly bypass extension adding.

Now I'am trying to get in the parent directory, to get the image. I know there is a filter to remove ../, and i tried to write it in many way (url encoding), but i'am not bypassing the filter.

Can any one give me a hint ?

Friendly,
Asch.

Edited by PublicEnemy: Removed Spoiler

Edited by Guest on 04/12/2013 14:43:37

Posted by Teddy on 04/12/2013 10:28:24
#5

It is hard to give a hint without telling the solution. But may that two helps:

- What would be the easiest way to get the "../" removed. Think about a php function that does it.

- You know what gets removed. May you can use that information now to create a valid injection. Or at least valid after the filter.

Posted by Asch on 04/16/2013 11:49:41
#6

Okay I got it ^^
Thank you very much :)

Posted by jaatrox on 06/18/2013 03:43:42
#7

the null byte attack doesnt work what should i do for that?

Posted by trietptm on 07/21/2013 06:38:15
#8

jaatrox wrote:
the null byte attack doesnt work what should i do for that?


Any idea, everybody?
I try %%0000 but it doesn't work too.
Update: I've found the trick :D .

Edited by trietptm on 07/21/2013 07:01:18

Posted by Abhinav2107 on 07/21/2013 09:26:24
#9

Use another null character instead of %00

Posted by CrashOverron on 07/24/2013 10:05:02
#10

yes atm the %00 is not working but there is still another way to bypass the appended file extension

Posted by Teddy on 09/22/2013 10:20:06
#11

I do not know what would be the right way to bypass it because I did not tried it yet.
But I found that one:
[url]http://security.stackexchange.com/questions/17407/how-can-i-use-this-path-bypass-exploit-local-file-inclusion
[/url]
Even when it is not the way to bypass the challange it is still interested

Edited by Teddy on 09/22/2013 10:20:46

Posted by hax366 on 01/02/2014 04:22:05
#12

finished :)


Posted by obscureromeo on 03/13/2014 17:57:55
#13

Greetings Folks!

I've used both type of null bytes to escape the filter and to strip .php but I still keep getting the following error:
<Spoiler Removed> cannot be found.

Can someone be kind enough to guide me? Am I looking inside the wrong directory?

Edited by Abhinav2107 on 03/13/2014 23:19:59

Posted by Abhinav2107 on 03/13/2014 23:21:48
#14

There does exist a null byte that will work. Think escaping.

Posted by T3N38R15 on 04/04/2014 16:03:24
#15

hello all ,
Why i cant do this ../ with this ....// ? that work or ?
one ../ was deletet and then only stay one ../ and then i bypass the filter.

but the Challenge say nop :( pls give me a hint i stuck.

kid regards T3N38R15