Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Possible command line injection? (of a sort)
Posted by: _Andy
Date: December 23, 2009 10:00AM

Hi there

I have an injection of the form

. hxxp://domain/ShowTXT.aspx?name=<textfilename>

This is being used as something like

FileStream fs = File.Open(textfilename & ".txt")

that's then sent to the browser. Eg

. hxxp://domain/ShowTXT.aspx?name=prefs

or

. hxxp://domain/ShowTXT.aspx?name=../TXT/prefs

will return me the prefs.txt file.

Do you think there is any way to prevent the ".txt" being appended so something more interesting can be returned?

Options: ReplyQuote
Re: Possible command line injection? (of a sort)
Posted by: Perow
Date: December 23, 2009 10:04AM

What you're looking for is the null byte hack.
Try appending "filename.txt%00" as the filename. If that has the same effect as "filename", you can start browsing the filesystem.

Options: ReplyQuote
Re: Possible command line injection? (of a sort)
Posted by: _Andy
Date: December 23, 2009 10:15AM

That makes perfect sense. Unfortunately

. hxxp://domain/ShowTXT.aspx?name=prefs.txt%00

doesn't return anything (errors are supressed)

Options: ReplyQuote
Re: Possible command line injection? (of a sort)
Posted by: rvdh
Date: December 26, 2009 03:22PM

How do you sent it? with a browser? try sending it with a custom script that makes a TCP/Socket connection, or simply netcat, because it might not work due to browser settings, or encoding that takes place internally.

Options: ReplyQuote


Sorry, only registered users may post in this forum.