On 2 November 2010 18:00, Ryan Sears <[email protected]> wrote: > So what do you usually use to find LFIs Robin? Just a custom script with a > wordlist that holds a bunch of iterations of ..\boot.ini?
I tend to wander around the web app itself or get it on linux boxes where I know more about the file system. My knowledge of fixed file locations on windows boxes is limited. > Also I wonder if you can read from the pipe filesystem... \\.\ or possibly a > network address for that matter, then you have an RFI :) That would be impressive! > You also may want to check out Dan Crowly on windows file psudonyms, it's a > very interesting read, and might help here. > > http://download.coresecurity.com/corporate/attachments/Windows%20File%20Pseudonyms%20Dan%20Crowley%20Shmoocom%202010.pdf I saw this at the time but I'll have another look see if could have helped here. > Although if it just has a construction page, how did you even find an > injectable parameter? Google enumeration? IIS had an under construction, the site with the directory traversal was some proprietary system running on an odd high port. > Thanks, (And I gotta say your work with the interceptor == freaking amazing! > I can't wait to get my Fon+) > Ryan Sears Thanks Robin > ----- Original Message ----- > From: "Robin Wood" <[email protected]> > To: "PaulDotCom Mailing List" <[email protected]> > Sent: Tuesday, November 2, 2010 12:52:46 PM GMT -05:00 US/Canada Eastern > Subject: [Pauldotcom] with full read access what would you read > > On a recent test I found a website with a directory traversal attack > that let me read any file. The server was Win 2003 and I read the > obvious win.ini and boot.ini. I then read the Administrators > desktop.ini to prove I could. I tried but couldn't read the registry > files (not expected but worth trying). > > The web server was an unusual one, part of an app so I couldn't find > the web root. The IIS web root just had an "Under Construction" file > in it so nothing interesting in there. > > So, without being able to do directory listings to see what is there, > what files would you read on this box and why? > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
