[W3af-users] Filename bruteforce with mod_negotiation

Tue, 02 Jun 2009 06:13:25 -0700 

List,

    Yesterday I found out a new trick, and I would like to share it with you ;)

HTTP Request
========

GET /backup HTTP/1.0
Accept: foobar/xyz
User-Agent: w3af
Host: 192.168.150.2
Connection: Close

HTTP Response
=========

HTTP/1.1 406 Not Acceptable
...
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /backup
could not be found on this server.</p>
Available variants:
<ul>
<li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li>
<li><a href="backup.zip">backup.zip</a> , type application/zip</li>
</ul>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2
PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Server at 192.168.150.2 Port 80</address>
</body></html>

In the response, please note these lines:

<li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li>
<li><a href="backup.zip">backup.zip</a> , type application/zip</li>

And if we go to the webroot to verify...

d...@brick:/var/www$ ls -la | grep backup
-rw-r--r--  1 dz0 dz0       0 2009-06-01 22:02 backup.tgz
-rw-r--r--  1 dz0 dz0       0 2009-06-01 22:03 backup.zip
d...@brick:/var/www$

This trick is really useful when finding (for example) backup files,
because you won't need to ask for backup.zip, backup.7z, backup.bzip2,
backup.tar.gz , etc. You just ask apache for the backup file, with an
incorrect Accept header (please note Accept: foobar/xyz) and that's
it, a list of given back to you.

If this ain't new for you, sorry, but it was new for me =)

I'm still thinking how I can use this trick in w3af, because I may use
it as part of a discovery plugin, or maybe as an audit plugin that
finds this as a vulnerability, and code an attack plugin that can
exploit it to bruteforce new resources... hmmm... I still have to
think. What do you guys think?

Cheers,
-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises 
looking to deploy the next generation of Solaris that includes the latest 
innovations from Sun and the OpenSource community. Download a copy and 
enjoy capabilities such as Networking, Storage and Virtualization. 
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to