PHP: Bypass filters using less-than sign

Описание: Here is the next episode of "from 0 to pentesting hero" where we search for vulnerabilities in simple parts of code.
Subscribe: https://www.youtube.com/c/KacperSzure...

Today we are going to see that the platform on which we run our programs makes a difference and we'll use PHP for this purpose.

Sometimes we need to enable the user to download files from the server.

This functionality can be implemented in 3 lines of code.

As we can read in the document entitled `Oddities of PHP file access in Windows` a string consisting of two "less-than" signs when passed to the file_get_contents function gets replaced with an asterisk.

This string is then forwarded to the FindFirstFile Windows API, that is responsible for searching for the appropriate file in the system.

There, the asterisk stands for wildcard.

So, the file that is going to be displayed is the one in which name the rest of the characters match.

So instead of passing secret.txt as the parameter to bypass the filter, we can replace the last t letter with double "less-than" sign.

Whitepaper: http://www.madchat.fr/coding/php/secu...

Twitter:   / kacperszurek  
Website: https://security.szurek.pl/
Github: https://github.com/kacperszurek/

#from0topentestinghero #security #php