Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 09:53AM

Hi there...

I've found a path traversal bug on a huge italian web application...

../../../../../../../../boot.ini permit me to take a look inside it :)

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" /fastdetect

really good for now..but

is I try to "traverse" other things, with paths like
../../../../../../../../Windows/system.ini
or
../../../../../../../../Winwows/repair/sam

the response is different...

so strange..
there are actually no problems about cookies or sessions...i'm using the same session of the succesful attack on boot.ini

let's me know your thoughts about that guys

thanks

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: WhiteAcid
Date: November 18, 2007 09:56AM

../../../../../../../../Winw[b/]ows/repair/sam
You have a typo there for starters. Did you perhaps try ..../win32/.... ? What if you load .../nofile. What's the error? Does it match the errors you're currently getting?

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: Reiners
Date: November 18, 2007 09:59AM

the directory on Win2000 is "WINNT" as far as I remember (take a look at the boot.ini again ;)

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: WhiteAcid
Date: November 18, 2007 10:09AM

sorry, that's what I meant to write :p
Boot.ini does indeed show that it is WINNT

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 10:11AM

fuck..
so fast replies guys..

thanks so much

I'm gonna try now!

stay tuned

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 10:15AM

ok using WINNT/repair/sam i gotta this:

regf

just this in a total blank page...

fuck..so strange..
I'm gonna try a little bit more

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 10:33AM

uuuu interesting guys

injecting ../../../../../../../../WINNT/system.ini i gotta this

; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=app850.FON EGA80WOA.FON=EGA80850.FON EGA40WOA.FON=EGA40850.FON CGA80WOA.FON=CGA80850.FON CGA40WOA.FON=CGA40850.FON

it's so funny :)



trying SOMETHING LIKE
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2finetpub%2fwwwroot%2fglobal%2easa

give me errors (I mean...the classic html application error page...)


any suggestions for any others interesting files?

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: Reiners
Date: November 18, 2007 10:52AM

the SAM file starts with regf if you open it with notepad, but theres a lot of other crap behind it of course. I guess it gets cut off for some reasons. Have you tried something like wget?
Other interesting files would be all kind of password files for applications running on this machine. Does it have a DBMS installed ?

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 11:00AM

i cannot try with wget because the ONERROR variable in which I put the path traversal is forwarded to the server trough POST...

I'm pretty sure that the machine is using MS-SQL..also if I didn't found for now any ODBC errors...it's a big shop online...so for sure is storing results in db, maybe not in the same machine...don't know..

maybe some interesting files of IIS (version 5, i'm sure) or MS-SQL...

any suggestions to wget the file trough a post...?

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 11:38AM

I see that wget actually support POST ..

i'm gonna try with it...

not so easy but seems the only chanche to retrieve the sam file in a safe way :)

+++eat, fuck, hack+++

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: WhiteAcid
Date: November 18, 2007 11:56AM

Firefox should have seen all the file. I don't think you'll get something in wget you didn't in firefox (don't forget the view source though incase the text was rendered as html and not all visible on the page).

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Path traversal--strange behavior
Posted by: euronymous
Date: November 18, 2007 12:05PM

well actually is a really weird thing...

nothing change is a see the source code..

watching the response in hexadecimal format:
00000000 72 65 67 66 0d regf

strange because whiteAcid..you're reason...if I try to open my sam file with firefox, i get a download popup...

weeeeeeeeeeeeeeeird

i'm starting to have an headache ...:(

+++eat, fuck, hack+++

Options: ReplyQuote


Sorry, only registered users may post in this forum.