PaulDotCom mailing list archives

Re: with full read access what would you read

From: Tim Krabec <tkrabec () gmail com>
Date: Tue, 2 Nov 2010 13:23:15 -0400

The ie & fd saved password lists. People are lazy. 

On Nov 2, 2010, at 12:52 PM, Robin Wood <robin () digininja org> wrote:

On a recent test I found a website with a directory traversal attack
that let me read any file. The server was Win 2003 and I read the
obvious win.ini and boot.ini. I then read the Administrators
desktop.ini to prove I could. I tried but couldn't read the registry
files (not expected but worth trying).

The web server was an unusual one, part of an app so I couldn't find
the web root. The IIS web root just had an "Under Construction" file
in it so nothing interesting in there.

So, without being able to do directory listings to see what is there,
what files would you read on this box and why?

Robin
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

with full read access what would you read Robin Wood (Nov 02)
- Re: with full read access what would you read Tim Krabec (Nov 02)
- Re: with full read access what would you read Ryan Sears (Nov 02)
  - Re: with full read access what would you read Robin Wood (Nov 03)
- Re: with full read access what would you read Bill Swearingen (Nov 02)
- Re: with full read access what would you read Michael Dickey (Nov 03)
  - Re: with full read access what would you read Robin Wood (Nov 08)
- <Possible follow-ups>
- Re: with full read access what would you read d4ncingd4n (Nov 02)
  - Re: with full read access what would you read Robin Wood (Nov 03)