Hi Andres, good finding, but if you were subscribed to my blog http://www.wisec.it/sectou.php you'd see that I wrote about it a couple of years ago: http://www.wisec.it/sectou.php?id=4698ebdc59d15
Obviously I'm just kidding, every research is good research when you find it by yourself. BTW that finding gave me the chance to find an Xss and response splitting on Apache: http://www.mindedsecurity.com/MSA01150108.html and _I think_ it's still marked as "won't fix". Cheers, Stefano Il giorno mar, 02/06/2009 alle 10.10 -0300, Andres Riancho ha scritto: > List, > > Yesterday I found out a new trick, and I would like to share it with you > ;) > > HTTP Request > ======== > > GET /backup HTTP/1.0 > Accept: foobar/xyz > User-Agent: w3af > Host: 192.168.150.2 > Connection: Close > > HTTP Response > ========= > > HTTP/1.1 406 Not Acceptable > ... > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>406 Not Acceptable</title> > </head><body> > <h1>Not Acceptable</h1> > <p>An appropriate representation of the requested resource /backup > could not be found on this server.</p> > Available variants: > <ul> > <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> > <li><a href="backup.zip">backup.zip</a> , type application/zip</li> > </ul> > <hr> > <address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2 > PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g > Server at 192.168.150.2 Port 80</address> > </body></html> > > In the response, please note these lines: > > <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> > <li><a href="backup.zip">backup.zip</a> , type application/zip</li> > > And if we go to the webroot to verify... > > d...@brick:/var/www$ ls -la | grep backup > -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:02 backup.tgz > -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:03 backup.zip > d...@brick:/var/www$ > > This trick is really useful when finding (for example) backup files, > because you won't need to ask for backup.zip, backup.7z, backup.bzip2, > backup.tar.gz , etc. You just ask apache for the backup file, with an > incorrect Accept header (please note Accept: foobar/xyz) and that's > it, a list of given back to you. > > If this ain't new for you, sorry, but it was new for me =) > > I'm still thinking how I can use this trick in w3af, because I may use > it as part of a discovery plugin, or maybe as an audit plugin that > finds this as a vulnerability, and code an attack plugin that can > exploit it to bruteforce new resources... hmmm... I still have to > think. What do you guys think? > > Cheers, ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
