[Pauldotcom] with full read access what would you read
Bill Swearingen
hevnsnt at i-hacked.com
Tue Nov 2 20:31:11 UTC 2010
I have found myself in a very similar situation.. So then I moved on to find
an info disclosure bug (generally an SQL error) that shows me the web root.
On Tue, Nov 2, 2010 at 11:52 AM, Robin Wood <robin at digininja.org> wrote:
> On a recent test I found a website with a directory traversal attack
> that let me read any file. The server was Win 2003 and I read the
> obvious win.ini and boot.ini. I then read the Administrators
> desktop.ini to prove I could. I tried but couldn't read the registry
> files (not expected but worth trying).
>
> The web server was an unusual one, part of an app so I couldn't find
> the web root. The IIS web root just had an "Under Construction" file
> in it so nothing interesting in there.
>
> So, without being able to do directory listings to see what is there,
> what files would you read on this box and why?
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20101102/1d6f97f5/attachment.htm
More information about the Pauldotcom
mailing list