On 2 November 2010 21:33, Michael Dickey <[email protected]> wrote: > Windows, eh? And not able to do directory listings to browse? Tricky! I'll > try through some ideas... > > - machine.config for any versions of .net installed (predictable paths in > c:\windows\microsoft.net\framework... > - group policy or wsus log files may give some network information > - event log locations (although you'll likely get denied, but maybe some > .old files are present) > - c:\windows\system32\logfiles\httperr may yield some app pool errors that > may be helpful > - if you can read out permissions, it might be useful to try random paths > like administrators, all users profiles, program files, a D:\ drive, and see > if you can find any service or other accounts listed > - IIS metabase: \system32\inetsrv\Metabase.xml and related files > - try for a web.config under every directory from your current one down > until you can't go up anymore > > Finding that web root would be really nice... > > > On Tue, Nov 2, 2010 at 11:52 AM, Robin Wood <[email protected]> wrote: >> >> On a recent test I found a website with a directory traversal attack >> that let me read any file. The server was Win 2003 and I read the >> obvious win.ini and boot.ini. I then read the Administrators >> desktop.ini to prove I could. I tried but couldn't read the registry >> files (not expected but worth trying). >> >> The web server was an unusual one, part of an app so I couldn't find >> the web root. The IIS web root just had an "Under Construction" file >> in it so nothing interesting in there. >> >> So, without being able to do directory listings to see what is there, >> what files would you read on this box and why?
Seeing as there were a number of good answers I decided to put them all, along with the answers to the sister Linux question, into a blog post. http://www.digininja.org/blog/when_all_you_can_do_is_read.php If I've missed anything or want to suggest any additions let me know. Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
