So, I'm dealing with an injection and can't figure out if I can actually do anything with it or not. The page in question is JSP and takes a GET parameter, appends it to the current domain/path, and adds .html to the end of it.
Here's an example of the code:

response.sendRedirect(basePath + path + getParam + ".html");


That getParam parameter is not sanitized. I can send it as "someotherfile.jsp#" and that will take care of the html file extension at the end, but this doesn't really get me anywhere other than redirecting to a resource that's already publicly available on the server anyway. If I supply something in the request that it doesn't know what to do with, it just returns "null.html", which is empty.

Is there any other way to exploit this?

Another note is that it plays well with ../ and I can set the parameter to ../../../somefile.jsp# and it will work, but I can't seem to get out of the web directory.



Edited 1 time(s). Last edit at 03/21/2012 09:18AM by dangerbear.

Yeah, you cannot go out of the webdir; this is a redirect (so, it will be a 302). If you're luck w/ a old version of java, try to different vuln here (response splitting, header inj., etc.)

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Thanks for confirming that. I'll see if I can find some java vuln to get in the door.