Thread subject: Security Override :: Advanced level 4

Posted by buglu on 02/04/2014 07:26:32
#1

Yes I understand this is already my second post in the advanced category.

I already did my research on LFI for 3 days straight now and (think) i actually understand it.

I understand how it works, what you could do with it. But for now i have only read about the nullbyte, where i have a question about also, but i read nothing about getting the ../ filtered out. Now i do understand that this is not really something that has to do with the LFI itself cuz it is a filter that does it.

My question about the nullbyte is: is \00 a valid nullbyte? Worked out for me because it deleted .php, but dont know if it ACTUALLY works

So now my question actually is, how do i work around this filter, i already noticed what the WAF actually filters on, tried to work around the filter, by using other syntaxes . But that also failed....

So now my question also is, is this a filter from PHP self, or just a handwritten filter that filters on a certain value. that last one could be made possible by preg match if i am right?

As you see, i tried some things, but yeah didnt work out yet...

I hope someone could give me a hint on what i am doing wrong, or could give me a good article about WAF bypassing.

I know i maybe spoiled too much, but most of the information was already also in another thread...

Greetings buglu

Edited by buglu on 02/04/2014 07:28:45

Posted by Abhinav2107 on 02/04/2014 07:57:59
#2

The filter is straightforward.

str_replace("../", "", $input);

There's a simple way around it. Think about it.

As for the null byte, it causes everything beyond it to be dropped. Not sure what your question is. The Null byte is simply the character with ASCII value 0.

Posted by buglu on 02/04/2014 08:40:56
#3

Abhinav2107 wrote:
The filter is straightforward.

str_replace("../", "", $input);

There's a simple way around it. Think about it.

As for the null byte, it causes everything beyond it to be dropped. Not sure what your question is. The Null byte is simply the character with ASCII value 0.


ah str_replace, didnt heard of that filter option yet tbh...

And my question actually was if "\00" has the same effect as "%00" but you anwsered it for me, thank you!
Yes i tried using different syntaxes for the "/" dont know if i am doing it right this way?

I will look futher into it i guess.

Thank you for your help!

Posted by buglu on 02/04/2014 08:51:24
#4

Hey abhinav,

Solved it actually directly after you posted it, thanks to your tip.

Just needed to know the function that filtered it.

Thank you again.