Thread subject: Security Override :: Adv#4

Posted by letm on 04/05/2013 19:48:26

hai ppl what file need to include?
/etc/passwd ?

Posted by CrashOverron on 04/05/2013 23:42:37

sorry there was a piece commented out in adv3 that says where the file was uplaoded not sure why it was commented

Posted by wiser on 04/06/2013 04:29:16

Actually the hint was already displayed now we can see it twice ;)

Posted by Asch on 04/12/2013 07:12:32

Hi everone,

I think I am not so far from the solution. I get the message :
"uploads/5p0il3r.jpg cannot be found."

So I think I have correctly bypass extension adding.

Now I'am trying to get in the parent directory, to get the image. I know there is a filter to remove ../, and i tried to write it in many way (url encoding), but i'am not bypassing the filter.

Can any one give me a hint ?


Edited by PublicEnemy: Removed Spoiler

Edited by Guest on 04/12/2013 14:43:37

Posted by Teddy on 04/12/2013 10:28:24

It is hard to give a hint without telling the solution. But may that two helps:

- What would be the easiest way to get the "../" removed. Think about a php function that does it.

- You know what gets removed. May you can use that information now to create a valid injection. Or at least valid after the filter.

Posted by Asch on 04/16/2013 11:49:41

Okay I got it ^^
Thank you very much :)

Posted by jaatrox on 06/18/2013 03:43:42

the null byte attack doesnt work what should i do for that?

Posted by trietptm on 07/21/2013 06:38:15

jaatrox wrote:
the null byte attack doesnt work what should i do for that?

Any idea, everybody?
I try %%0000 but it doesn't work too.
Update: I've found the trick :D .

Edited by trietptm on 07/21/2013 07:01:18

Posted by Abhinav2107 on 07/21/2013 09:26:24

Use another null character instead of %00

Posted by CrashOverron on 07/24/2013 10:05:02

yes atm the %00 is not working but there is still another way to bypass the appended file extension

Posted by Teddy on 09/22/2013 10:20:06

I do not know what would be the right way to bypass it because I did not tried it yet.
But I found that one:
Even when it is not the way to bypass the challange it is still interested

Edited by Teddy on 09/22/2013 10:20:46

Posted by hax366 on 01/02/2014 04:22:05

finished :)

Posted by obscureromeo on 03/13/2014 17:57:55

Greetings Folks!

I've used both type of null bytes to escape the filter and to strip .php but I still keep getting the following error:
<Spoiler Removed> cannot be found.

Can someone be kind enough to guide me? Am I looking inside the wrong directory?

Edited by Abhinav2107 on 03/13/2014 23:19:59

Posted by Abhinav2107 on 03/13/2014 23:21:48

There does exist a null byte that will work. Think escaping.

Posted by T3N38R15 on 04/04/2014 16:03:24

hello all ,
Why i cant do this ../ with this ....// ? that work or ?
one ../ was deletet and then only stay one ../ and then i bypass the filter.

but the Challenge say nop :( pls give me a hint i stuck.

kid regards T3N38R15