[Pauldotcom] with full read access what would you read

Robin Wood robin at digininja.org
Tue Nov 2 21:47:57 UTC 2010 

On 2 November 2010 18:00, Ryan Sears <rdsears at mtu.edu> wrote:
> So what do you usually use to find LFIs Robin? Just a custom script with a wordlist that holds a bunch of iterations of ..\boot.ini?

I tend to wander around the web app itself or get it on linux boxes
where I know more about the file system. My knowledge of fixed file
locations on windows boxes is limited.

> Also I wonder if you can read from the pipe filesystem... \\.\ or possibly a network address for that matter, then you have an RFI :)

That would be impressive!

> You also may want to check out Dan Crowly on windows file psudonyms, it's a very interesting read, and might help here.
>
> http://download.coresecurity.com/corporate/attachments/Windows%20File%20Pseudonyms%20Dan%20Crowley%20Shmoocom%202010.pdf

I saw this at the time but I'll have another look see if could have helped here.

> Although if it just has a construction page, how did you even find an injectable parameter? Google enumeration?

IIS had an under construction, the site with the directory traversal
was some proprietary system running on an odd high port.

> Thanks, (And I gotta say your work with the interceptor == freaking amazing! I can't wait to get my Fon+)
> Ryan Sears

Thanks

Robin

> ----- Original Message -----
> From: "Robin Wood" <robin at digininja.org>
> To: "PaulDotCom Mailing List" <pauldotcom at mail.pauldotcom.com>
> Sent: Tuesday, November 2, 2010 12:52:46 PM GMT -05:00 US/Canada Eastern
> Subject: [Pauldotcom] with full read access what would you read
>
> On a recent test I found a website with a directory traversal attack
> that let me read any file. The server was Win 2003 and I read the
> obvious win.ini and boot.ini. I then read the Administrators
> desktop.ini to prove I could. I tried but couldn't read the registry
> files (not expected but worth trying).
>
> The web server was an unusual one, part of an app so I couldn't find
> the web root. The IIS web root just had an "Under Construction" file
> in it so nothing interesting in there.
>
> So, without being able to do directory listings to see what is there,
> what files would you read on this box and why?
>
> Robin
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>

More information about the Pauldotcom mailing list