and the list gets bigger http://www.hansenb.pdx.edu/DMKB/dict/tutorials/mime_typ.php
On Tue, Jun 2, 2009 at 9:10 AM, Andres Riancho <[email protected]> wrote: > List, > > Yesterday I found out a new trick, and I would like to share it with you ;) > > HTTP Request > ======== > > GET /backup HTTP/1.0 > Accept: foobar/xyz > User-Agent: w3af > Host: 192.168.150.2 > Connection: Close > > HTTP Response > ========= > > HTTP/1.1 406 Not Acceptable > ... > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>406 Not Acceptable</title> > </head><body> > <h1>Not Acceptable</h1> > <p>An appropriate representation of the requested resource /backup > could not be found on this server.</p> > Available variants: > <ul> > <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> > <li><a href="backup.zip">backup.zip</a> , type application/zip</li> > </ul> > <hr> > <address>Apache/2.2.8 (Ubuntu) DAV/2 mod_python/3.3.1 Python/2.5.2 > PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g > Server at 192.168.150.2 Port 80</address> > </body></html> > > In the response, please note these lines: > > <li><a href="backup.tgz">backup.tgz</a> , type application/x-gzip</li> > <li><a href="backup.zip">backup.zip</a> , type application/zip</li> > > And if we go to the webroot to verify... > > d...@brick:/var/www$ ls -la | grep backup > -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:02 backup.tgz > -rw-r--r-- 1 dz0 dz0 0 2009-06-01 22:03 backup.zip > d...@brick:/var/www$ > > This trick is really useful when finding (for example) backup files, > because you won't need to ask for backup.zip, backup.7z, backup.bzip2, > backup.tar.gz , etc. You just ask apache for the backup file, with an > incorrect Accept header (please note Accept: foobar/xyz) and that's > it, a list of given back to you. > > If this ain't new for you, sorry, but it was new for me =) > > I'm still thinking how I can use this trick in w3af, because I may use > it as part of a discovery plugin, or maybe as an audit plugin that > finds this as a vulnerability, and code an attack plugin that can > exploit it to bruteforce new resources... hmmm... I still have to > think. What do you guys think? > > Cheers, > -- > Andrés Riancho > Founder, Bonsai - Information Security > http://www.bonsai-sec.com/ > http://w3af.sf.net/ > > ------------------------------------------------------------------------------ > OpenSolaris 2009.06 is a cutting edge operating system for enterprises > looking to deploy the next generation of Solaris that includes the latest > innovations from Sun and the OpenSource community. Download a copy and > enjoy capabilities such as Networking, Storage and Virtualization. > Go to: http://p.sf.net/sfu/opensolaris-get > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Tom Brennan OWASP Foundation Url: www.owasp.org Tel: 973-202-0122 ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
