Arbitrary File Access

server_side_attacks ssrfhr filepathtraversal ssrfqi flask_development_server

Multiple attacks may allow us to arbitrarily read or write files.

Interesting Files To Read πŸ€–

  • /etc/passwd, /etc/group: users and groups
  • /proc/self/environ: current process environment
  • /proc/self/status and /proc/self/cmdline: command
  • /etc/hosts, c:\windows\system32\drivers\etc\hosts: virtual hosts
  • /home/<username>/.bash_history: command history
  • /etc/crontab: cron tasks
  • /var/lib/dpkg/status and alternatives: installed packages
  • wp-config.php and application-specific configuration files
  • /etc/ssh/sshd_config: may contain usernames
  • /var/lib/dhcp/dhclient.leases: DHCP configuration

LocateDB may be present and in-use. We may use it to find interesting paths. Load any of them using locate -d ./xxxdb [...]:

  • /var/cache/locate/locatedb
  • /var/lib/mlocate/mlocate.db
  • /var/lib/plocate/plocate.db

Don't forget DNS-related files and DHCP lease files.

Interesting Files To Write 🐲

  • /etc/shadow, /etc/passwd: add/edit users
  • /etc/group: add/edit groups
  • /etc/sudoers: add/edit privileged users

Interesting Files To Know πŸ•·οΈ

These files almost always exist and return a known value:

  • /proc/sys/kernel/ostype: often contains Linux
  • /proc/sys/kernel/randomize_va_space: often contains 2
  • /sys/module/apparmor/parameters/enabled: often contains Y\n
  • /proc/sys/kernel/pid_max: often contains 32768/4194304
  • /sys/class/power_supply/BAT{n}/type: often contains Battery
  • /sys/class/tty/tty0/active: contains a value such as tty1
  • /sys/class/power_supply/AC{n}/online: contains either 0 or 1
  • /sys/class/net/eth0/type: contains 1?

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • default webserver roots
  • can be fuzzed
  • wordlists
    • default-web-root-directory-linux.txt
    • default-web-root-directory-windows.txt
    • SecLists LFI
    • /etc/php/X.Y/apache2/php.ini (web root)
    • /etc/php/X.Y/fpm/php.ini (web root)
  • C:\Windows\boot.ini
  • /usr/lib/python
  • /var/spool/cron/crontabs, /etc/crontab, /etc/cron.d/, /etc/cron.daily/, /etc/cron.hourly/, /etc/cron.weekly/, /etc/cron.monthly/
  • /etc/php/X.X/apache2/php.ini
  • /etc/apache2/sites-enabled/, /var/log/apache2/
  • /proc/net/arp, /sys/class/net/eth0/address, /proc/sys/kernel/random/boot_id, /proc/self/cgroup