Andres, 2008/12/28 Andres Riancho <andres.rian...@gmail.com>: > List, > > Last Friday at the office one of the guys found a vulnerability in > a web application, the vulnerability was the classic > index.php?filename=/etc/passwd that let's you read the content of any > file given that you know it's location and apache has the correct > permissions to read it. > > After that, I slightly modified the attack.localFileReader plugin > from w3af in order to work as expected, and during the last hour I've > been playing with a nice idea, that I wanted to share. The idea is > pretty simple, but I haven't seen it implemented in any other > software. First of all, a small introduction to > attack.localFileReader: basically you only have one command, "cat", > which allows you to print the content of a file using a local file > inclusion/read vulnerability. Using that, I wanted to obtain a list of > files that may contain important information for me as a penetration > tester from the remote web server... so basically I added the "list" > command, that operates as follows: > > - cat a non existent file, and save the response > - cat a lot of common files, and compare them with the non existent > response, if they differ, then the file exists > - for all the files that I just found, parse them, and try to find > references to other files. For example, if I found out that > /etc/init.d/apache2 exists, and I parse it, I would obtain a list with > (for example) /bin/sh, /usr/sbin/apache2ctl, /usr/sbin/htcacheclean, > etc. > - for every reference found in any of the previous files, run the process > again. > > At first I thought that this would give me a few files out of the > ones I already know that were there, and that I would hit a dead end > after calling the method recursively one or two times. But I was > mistaken, and I'm happy to say it =) Here are some results: > > Recursion level 0, 15 unique files. > Recursion level 1, 37 unique files. > Recursion level 2, 60 unique files. > Recursion level 3, 1162 unique files. > Recursion level 4, 2903 unique files. > > I wanted to test it with a recursion level greater than 4, but it > took too much time. For those who are curious, see the attached file > for a run of the attack plugin. > > After finishing my implementation, I started to wonder... what > else could be achieved (in an automated fashion of course) using a > local file read vulnerability? Here are some ideas that I still have > to add to the plugin: > > - OS identification: Easy one, because you could just "cat > /etc/debian_version", and if it's there, you know it's debian and the > content of the file tells you what version you are using (some > problems with Ubuntu may arise).
Nice! Add other interesting files... #show the pre-login banner cat /etc/issue #pre-login banner for Linux network connections cat /etc/issue.net #display information about this server's implementation of UNIX to UNIX copy, cat /usr/spool/uucp/ERRLOG cat /var/spool/uucp/.Admin/errors cat /var/spool/.Status/system cat /usr/lib/uucp/USERFILE cat /etc/uucp/Permissions #show the contents of the ssh config cat ~/.ssh/* cat /etc/sshrc #userdb can override default security in HPUX cat /var/adm/userdb #list of users who cannot login in HPUX cat /etc/nologin #HPUX remote login restrictions cat /etc/securetty #for FreeBSD cat /etc/ttys #Provide the superuser's environment information cat ~root/.profile > - .htaccess and .htpasswd files that may contain weak hashes: For > every directory that the list command finds, we could request > /directory/.htaccess and /directory/.htpasswd . Too many requests? > Maybe request .ht* only for directories that contain "www" or "htdocs" > or something like that? > > Can you think about other interesting techniques that can be > applied to this vulnerability in order to gain more information about > the target server? Thanks for your input! > > Cheers, > -- > Andres Riancho > http://w3af.sourceforge.net/ > Web Application Attack and Audit Framework > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Martin Tartarelli Linux User #476492 http://owasp.org/index.php/Argentina -- ------------------------------------------------------------------------------ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
