1

I am pentesting an application. The application exposes a SOAP API, which I have access to, and internally that API makes the following call:

File.Open("C:\Resources\"+resName+".res", FileMode.Open)

The contents of that file is then returned to me. I'm trying to exploit this to read any file on the server.

I can control the resName variable, so I can use path traversal (../) to navigate the entire C: drive. The problem is, because the file path ends with .res, I can only access .res files. Are there any Windows/NTFS/C# tricks that will cause the .res to be ignored, so that I can read any file on the server?

PenetrationTester
  • 11
  • 4
  • 1
    You could try to insert a null character at the end of your variable. If it makes it to the server and the string it might terminate the string so that everything after is ignored. – Robert Jul 03 '22 at 20:39
  • Unfortunately, the null byte is rejected by the File.Open method, so I can't use it. – PenetrationTester Jul 04 '22 at 05:34
  • All these edits are not adding any value. If you keep making these edits, the system will lock you out. If this is an attempt to "bump" the post, please stop. – schroeder Jul 04 '22 at 18:28
  • There aren't that many actual hardcore security professionals here unfortunately, so it's unlikely you'll get an answer. All those guys are crazy rich and couldn't be bothered with silly questions posted here while they're researching vulnerabilities which most people can't even imagine exist. – Artem S. Tashkinov Jul 05 '22 at 15:03

0 Answers0