8

I have a question about a Local File Inclusion (LFI) vulnerability on a Windows system. When it's possible to download any file from the operating system (OS), which file should I download first?

I'm currently only aware of this vulnerability and no have no further information about directory structure et cetera.

A few things came to my mind:

  • source code, potential information leaks about backends, configurations et cetera;
  • metabase.xml for IIS setups;
  • autoexec.bat in case there is anything juicy at startup.
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Chris Dale
  • 16,119
  • 10
  • 56
  • 97

2 Answers2

3

To try to escalate, you could look for known versions of programs that are known to be vulnerable. You probably wouldn't need to download the whole thing, just enough to get the signature/version.

E.g. DLLs that would signal that an OS patch hasn't been applied. This would give you information you might want to launch another attack. (Or it would give you information that launching that attack would be useless and you should look elsewhere.)

bstpierre
  • 4,868
  • 1
  • 21
  • 34
2

Off-the-cuff stuff I could script:

  • Registry
  • SAM (these two require compromising at the kernel level -- leaving as a reference)
  • Active Directory DB
  • Browser histories & cookies
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Registry (hive) and SAM is protected so you cant read them unless you log out of windows right? – Chris Dale Oct 17 '11 at 23:06
  • @Karrax very off-the-cuff answer. Yes, those are locked by the OS kernel and can't be read through normal FS access. – Jeff Ferland Oct 18 '11 at 16:06
  • 1
    Config files for any service applications would be useful too. For example, if it's running MySQL, you can grab my.ini to find the directory that contains the table data, then grab `user.frm`, `user.MYD` and `user.MYI` from the `mysql` table data directory. You can then use them to get the password hashes. Obviously this is just one example, the possibilities are endless in the case of software services. – Polynomial Oct 20 '11 at 18:52