Tomas, Andrés, List,
Hi everyone.
I've been using w3af for a while now, but this is my first post. Here it
goes.
On Mon, Oct 15, 2012 at 8:33 PM, Tomas Velazquez <tomas.velazqu...@gmail.com
> wrote:
> Andres,
>
> Your ideas seems great! Maybe this plugin should by two plugins.
>
I agree. There are different issues with 8.3 files, and different aspects
to be exploited.
> A grep plugin doing detection and a crawl plugin doing brute force.
>
>
As Tomas' plugin shows, it could be possible to actually list all the files
that have an 8.3 alias, if the web server is properly "mis"configured (ie.
it accepts *, : and ~ in the path portion of the URL). It could be possible
to see through protected dirs adding ADS ::$Index_Allocation after the dir
name as in [1] - this is missing in the plugin, but should be relatively
easy to add). As a bonus, you could get listing access of app_data, which
is supposedly inaccessible from browsers!!! This technique works for IIS,
haven't tried on other servers.
The technique works as follows:
get *~1.* (not found)
get *~2.* (found)
get a*~2.* (not found)
get b*~2.* (found)
get ba*~2.* (found)
get baa*~2.* (not found)
...
get backup*~2.a (not found)
...
get backup*~2.zip (found -> keep reference for further use)
get z~9.* (not found)
Having listed all the aliases found may be useful. For instance, in
post-exploitation, you could directly access a file by its 8.3 alias from
the server itself (useful if you gained read access but not dir listing).
I would like to remind people of the list that request with short name
> are invalids we need the full filename! And the obvious solution to
>
This is quite right for IIS.
But apparently it could be possible to actually retrieve files addressed by
8.3 aliases in other web servers running on windows, at least in vulnerable
versions (according to [2] and [3]). I'm not sure how many of them are used
on production environments, though, but even if chances are low, it would
be interesting to check.
There is an extra "feature" of 8.3 aliases mentioned in [3] that is really
interesting. If you can upload a file with an arbitrary innocuous
extension, let's say [file.phpxxx], and if you can then access this file
from the browser using its 8.3 alias, guess what: it appears that you could
end up exec'ing [file~1.php].... (haven't tried yet, but seems very
interesting). This doesn't work in IIS, but could do in vulnerable versions
of web servers reported by Core, and perhaps in Apache...
> find filenames is brute force. Maybe we need a new function that
> searches all dictionaries of w3af and return the words that could
> match short names.
>
>
If the content of the w3af dictionaries (long file names) was already
checked, I'm not sure if it could be possible to extract useful info from
them to find long names of 8.3 aliases. But they could be useful to find
8.3 to try specific names in the case *~1 listing didn't work.
Names leaked in error messages are useful. Maybe the user performing the
test has some extra data to figure out the actual long names. Searching the
web may be of help, but I'm not too confident on that.
Best,
Alejandro
[1]
http://soroush.secproject.com/downloadable/iis_tilde_shortname_disclosure.txt
http://soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf
[2]
http://www.acunetix.com/blog/web-security-zone/articles/windows-short-8-3-filenames-web-security-problem/
[3]
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=advisory&name=Multiple_Vulnerabilities_with_8.3_Filename_Pseudonyms_in_Web_Servers
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
