Exposure of Vulnerable Backup Files on Server.
AKS aka 0kn0ck , CERA
View:
The backup procedure is considered to be as one of the best practise of administrative working. This has been
seen several times that administrators make backup and placed them on the server with same access as of other
files. This is matter of great concern because these backup files can be crawled easily there by leveraging
enormous amount of information of web server and configuration of the applications. This is a basic problem of
poor web administration. The backup files are remained as such on the web servers. All this act as a vulnerable
base for information gathering. It can be used for testing the security feature of web server.The server side
code of various ASP and PHP based web pages can be traversed. This in turn results in server side code leakage.
Note : All the below presented information is extracted after pen testing on real targets.Only generalized
flow of information is presented that exaplains the concept itself.
Error Check 1: Browseable Directories Information.
ndex (8 files)
^ [Parent Directory]
Name Type Size Last Modified
adult (5 Files) 24.06 KB February 27 2008 08:52:40
aim (4 Files) 154.74 KB September 24 2007 12:00:20
area51 (6 Files) 28.12 KB March 26 2008 08:31:07
images (8 Files) 167.63 KB September 24 2007 12:09:44
ipaddress (6 Files) 11.65 KB March 03 2008 03:29:46
livejournal (483 Files) 56.67 MB March 09 2008 01:18:28
portal (16 Files) 31.21 KB March 07 2008 09:44:12
index.php.old old 22.27 KB September 25 2007 02:12:05
Error Check 2: Referrer Check Information - Code Extraction.
?
$referer = strtolower($_SERVER['SERVER_NAME']);
$querystring = $_SERVER['QUERY_STRING'];
switch( $referer ) {
case 'rohwedder.com':
case 'www.rohwedder.com':
case 'rohwedder-ag.com':
case 'www.rohwedder-ag.com':
case 'fatec-ltd.com':
case 'www.fatec-ltd.com': Header("Location: /rw_html/index.php?lang=en");
break;
case 'www.rohwedder.de':
case 'rohwedder.de': Header("Location: /rw_html/index.php?lang=de");
break;
case 'outimex.pl':
case 'www.outimex.pl': Header("Location: /outimex.pl/index.html");
break;
//Header("Location: http://rohwedder.interstruct.com/index.php?lang=en"); break;
default: Header("Location: http://www.interstruct.com");break;
}
echo $referer;
?
Error Check 3: Website Linking Information.
"http://www.cleancities-pittsburgh.net/forum/1/index.htm">Anti-Depressant
"http://www.cleancities-pittsburgh.net/forum/1/Wellbutrin-SR.htm">Wellbutrin SR
"http://www.cleancities-pittsburgh.net/forum/1/Effexor.htm">Effexor
"http://www.cleancities-pittsburgh.net/forum/cialis/index.htm">Cialis
"http://www.cleancities-pittsburgh.net/forum/cialis/Generic-Cialis.htm">Generic Cialis
"http://www.cleancities-pittsburgh.net/forum/cialis/viagracialis.htm">viagra+cialis
"http://www.cleancities-pittsburgh.net/forum/cialis/Tadalafil.htm">Tadalafil
"http://www.cleancities-pittsburgh.net/forum/cialis/buy-cialis-online.htm">buy cialis online
"http://www.cleancities-pittsburgh.net/forum/cialis/cialis-levitra-viagra.htm">cialis levitra viagra
"http://www.cleancities-pittsburgh.net/forum/cialis/cialis-generic.htm">cialis generic
"http://www.cleancities-pittsburgh.net/forum/cialis/buy-cialis-now.htm">cialis/buy cialis now
"http://www.cleancities-pittsburgh.net/forum/cialis/buy-cialis-discount.htm">buy cialis discount
"http://www.cleancities-pittsburgh.net/forum/cialis/cialis-levitra-vs.htm">cialis levitra vs
"http://www.cleancities-pittsburgh.net/forum/cialis/cialis-levitra-viagra-vs.htm">Cialis levitra viagra vs
"http://www.cleancities-pittsburgh.net/forum/2/index.htm">Anti Depressant
"http://www.cleancities-pittsburgh.net/forum/3/index.htm">Anti-Depressant
"http://www.cleancities-pittsburgh.net/forum/4/index.htm">Anti-Depressant
Error Check 4: Database Queries Related to Event Handlers .
cfquery name="GetEvents" datasource="scavenger">
SELECT *
FROM Events
WHERE Active = 1
ORDER BY EventTitle
/cfquery>
Error Check 5 : GET/POST Calls - Code Extraction .
? if( !$_GET["page"] && !$_POST["page"] ) header("Location: index.php?page=Home&pw=none"); ?>
? require("lib/connection.php"); ?>
? if( !$_GET["page"] && $_POST["page"] ) $_GET["page"] = $_POST["page"]; ?>
? if( $_GET["del"] ) {
$sql = "delete from zentrumcontent where id = '".$_GET["del"]."'";
$res = mysql_query($sql,$conn);
} ?>
Error Check 6 : GET/POST with MySQL Interface : Plethora of Information.
if( $_POST["add"] ) {
$sql = "insert into zentrumcontent values(null,'".$_POST["seite"]."','".$_POST["menüpunkt"].
$res = mysql_query($sql,$conn);
}
if( $_POST["edit"] || $_POST["butcha"] ) {
$sql = "update zentrumcontent set longlink = '".$_POST["menüpunkt"]."' where id = '".$_GET["edit"]."'";
$res = mysql_query($sql,$conn);
$sql = "update zentrumcontent set orderid = '".$_POST["orderid"]."' where id = '".$_GET["edit"]."'";
$res = mysql_query($sql,$conn);
$orderid = $_POST["orderid"];
$sql ="select * from zentrumcontent where id = '".$_GET["edit"]."'";
$res = mysql_query($sql,$conn);
while( $row = mysql_fetch_object($res,$conn) ) {
$button = $row->longlink;
$orderid = $row->orderid;
}
}
$sql = "select * from zentrumcontent order by orderid asc";
$res = mysql_query($sql,$conn);
if( $_GET["page"] != "Home" ) { ?>
? while( $row = mysql_fetch_object($res) ) {
if( !$row->longlink ) {
$row->longlink = $row->seite;
}
if( $row->seite == $_GET["page"] ) $rcontent = $row->content;
if( $_GET["pw"] && $_GET["pw"] == $pw && $_GET["page"] != "Home" )
? } else if( $_GET["page"] != "Home" ) { ?>
/table>
? } else { ?>
/td>
? } ?>
td valign="top"height="410px"width="440px"
? } else if ( $_GET["page"] != "Kurtermine" ) {
$wysiwyg = true;
if( $_POST["orig"] ) {
$sql = "select * from zentrumcontent where seite like '".$_GET["page"]."'";
$res = mysql_query($sql,$conn);
$row = mysql_fetch_object($res,$conn);
$sql = "update zentrumcontent set content = '".$_POST["seiteninhalt"]."' where id = '".$row->id."'";
$res = mysql_query($sql,$conn);
}
if( !$_POST["page"] ) $_POST["page"] = $_GET["page"];
if( !$_GET["page"] ) $_GET["page"] = $_POST["page"];
$sql = "select * from zentrumcontent where seite='".$_GET["page"]."'";
$res = mysql_query($sql,$conn);
$err = " No page loaded ... ".$_GET["page"]."???
if( mysql_num_rows($res) < 1 ) die($err);
while( $row = mysql_fetch_object($res,$conn) ) {
$content = $row->content;
}
if( !$written ) {
echo $rcontent; $written = true;
Error Check 7: FTP Directory Information and Contents .
/ftparch/languages/apl/workspaces/pp:
total 1076
-rw-r--r-- 1 aplmaint 89133 Feb 7 1994 mcguiness.tar.Z
-rw-r--r-- 1 aplmaint 7989 Jul 13 1992 pp3st.zoo
-rw-r--r-- 1 aplmaint 698 Apr 15 1992 whats_new
-rw-r--r-- 1 aplmaint 37469 Apr 15 1992 pp3ibm.pduue
-rw-r--r-- 1 aplmaint 27120 Apr 15 1992 pp3ibm.apltf
-rw-r--r-- 1 aplmaint 8490 Apr 15 1992 pp3doc.tex
-rw-r--r-- 1 aplmaint 49509 Apr 15 1992 pp3.pp
-rw-r--r-- 1 aplmaint 39823 Apr 15 1992 pp3.aws
-rw-r--r-- 1 aplmaint 27962 Apr 15 1992 pp3.atf
-rw-r--r-- 1 aplmaint 82640 Apr 15 1992 pp3.aplwsv2
-rw-r--r-- 1 aplmaint 75448 Apr 15 1992 pp3.apl
-rw-r--r-- 1 aplmaint 51470 Apr 15 1992 PP3MACWS
-rw-r--r-- 1 aplmaint 22960 Apr 15 1992 PP3MACTF
-rw-r--r-- 1 aplmaint 23524 Apr 15 1992 PP3DYWS
/ftparch/languages/apl/tryapl2:
total 1358
-rw-r--r-- 1 aplmaint 1420 May 10 1995 readme
-rw-r--r-- 1 aplmaint 2575 Mar 1 1994 product.announce.Z
-rw-r--r-- 1 aplmaint 850 Mar 19 1992 ordering.apl2.Z
-rw-r--r-- 1 aplmaint 933 Feb 1 1992 tryapl2.readme.Z
-rw-r--r-- 1 aplmaint 675135 Dec 7 1991 tryapl2.exebin
/ftparch/languages/apl/i-apl:
total 2316
-rw-r--r-- 1 aplmaint 362593 Nov 14 1996 I-APL.sit
-rw-r--r-- 1 aplmaint 726 Nov 14 1994 readme
-rw-r--r-- 1 aplmaint 60434 Nov 14 1994 source.zip
-rw-r--r-- 1 aplmaint 63663 Nov 14 1994 porter.zip
-rw-r--r-- 1 aplmaint 149693 Nov 14 1994 iapl111.zip
-rw-r--r-- 1 aplmaint 137112 Jul 14 1992 atari_st.zoo
-rw-r--r-- 1 aplmaint 189920 Mar 30 1991 iapl111.arc
-rw-r--r-- 1 aplmaint 84398 Oct 23 1989 porter.arc
-rw-r--r-- 1 aplmaint 80548 Aug 29 1989 source.arc
/ftparch/languages/apl/sharp.apl:
total 2486
-rw-r--r-- 1 aplmaint 834 Apr 18 2000 index.html
-rw-r--r-- 2 aplmaint 384 Apr 17 2000 note
-rw-r--r-- 2 aplmaint 384 Apr 17 2000 note.txt
-rw-r--r-- 1 aplmaint 337105 Apr 17 2000 saplpc.zip
-rw-r--r-- 1 aplmaint 444663 Apr 4 1988 saplpc.zoo
-rw-r--r-- 1 aplmaint 450368 Apr 2 1988 saplpc.arc
/ftparch/languages/apl/fonts:
total 18
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 latex
drwxr-xr-x 4 aplmaint 512 Aug 12 2000 apl2ital
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 cmapl10
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 PostScript
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 2741
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 X-Windows
drwxr-xr-x 5 aplmaint 512 Aug 12 2000 TeX
-rw-r--r-- 1 aplmaint 1042 Feb 3 1998 texput.log
/ftparch/languages/apl/fonts/latex:
total 350
-rw-r--r-- 1 aplmaint 46822 Feb 3 1998 bernecky.gz
-rw-r--r-- 1 aplmaint 85118 Feb 3 1998 bernecky.msg
-rw-r--r-- 1 aplmaint 936 Feb 3 1998 index.html
-rw-r--r-- 1 aplmaint 43966 Feb 2 1998 saxpsa.zip
-rw-r--r-- 1 aplmaint 420 Feb 2 1998 read.me
/ftparch/languages/apl/fonts/apl2ital:
total 4
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 truetype
drwxr-xr-x 2 aplmaint 512 Aug 12 2000 tex
/ftparch/languages/apl/fonts/apl2ital/truetype:
total 368
-rw-r--r-- 1 aplmaint 101729 Aug 29 1994 apl2ital.uue
-rw-r--r-- 1 aplmaint 73724 Aug 29 1994 apl2ital.ttf
/ftparch/languages/apl/fonts/apl2ital/tex:
total 184
-rw-r--r-- 2 aplmaint 162 Sep 29 1994 note
-rw-r--r-- 2 aplmaint 91930 Sep 29 1994 apl2ital.zip
-rw-r--r-- 2 aplmaint 711 Sep 29 1994 readme
/ftparch/languages/apl/fonts/cmapl10:
total 110
-rw-r--r-- 1 aplmaint 573 Jul 29 1993 from.Sirlin
-rw-r--r-- 1 aplmaint 764 Jul 20 1993 cmapl10.tfm
-rw-r--r-- 1 aplmaint 11900 Jul 20 1993 cmapl10.746pk
-rw-r--r-- 1 aplmaint 5540 Jul 20 1993 cmapl10.360pk
-rw-r--r-- 1 aplmaint 6636 Jul 20 1993 cmapl10.432pk
-rw-r--r-- 1 aplmaint 8168 Jul 20 1993 cmapl10.518pk
-rw-r--r-- 1 aplmaint 9856 Jul 20 1993 cmapl10.622pk
-rw-r--r-- 1 aplmaint 4684 Jul 20 1993 cmapl10.300pk
-rw-r--r-- 1 aplmaint 5056 Jul 20 1993 cmapl10.329pk
Error Check 8: Functional Errors
Home Full image info
arteee.net > pics album(44)
Warning: getimagesize() [function.getimagesize]: Unable to access Obrázek(15).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: getimagesize(Obrázek(15).jpg) [function.getimagesize]: failed to open stream: No such file or directory in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: filesize() [function.filesize]: stat failed for Obrázek(15).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 131
Warning: getimagesize() [function.getimagesize]: Unable to access Obrázek(50).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: getimagesize(Obrázek(50).jpg) [function.getimagesize]: failed to open stream: No such file or directory in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: filesize() [function.filesize]: stat failed for Obrázek(50).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 131
Warning: getimagesize() [function.getimagesize]: Unable to access Obrázek(52).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: getimagesize(Obrázek(52).jpg) [function.getimagesize]: failed to open stream: No such file or directory in /DISK3/WWW/arteee.net/pics/index.php.old on line 243
Warning: filesize() [function.filesize]: stat failed for Obrázek(52).jpg in /DISK3/WWW/arteee.net/pics/index.php.old on line 131
Warning: main(portalfmei/functions.inc.php) [function.main]: failed to open stream: No such file or directory in
/home/httpd/html/feb2008.index.php.old on line 2
Warning: main() [function.include]: Failed opening 'portalfmei/functions.inc.php' for inclusion (include_path='.:
/php/includes:/home/httpd/html/fmeinet5/includes:/home/httpd/html/fmeinet5/includes/class') in /home/httpd/html/feb2008.index.php.old on line 2
Fatal error: Call to undefined function set_lang() in /home/httpd/html/feb2008.index.php.old on line 5
Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /data/www/3261/htdocs/index.php.old on line 9
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /data/www/3261/htdocs/index.php.old on line 10
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /data/www/3261/htdocs/output/nav.php on line 16
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /data/www/3261/htdocs/output/nav.php on line 17
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /data/www/3261/htdocs/output/nav.php on line 47
Error Check 9 : Session Setup Code : PHP
?php
session_start();
#session_save_path (/tmp);
$sesid = session_id();
$vorhanden = 0;
ipcontrol($REMOTE_ADDR);
$ippv = ipvorhanden($REMOTE_ADDR);
if ($ippv != 1) {
ipnichtvorhanden($REMOTE_ADDR);
}
$dat_array = getdate();
require("config.inc.php4");
if ( ! $link )
die( "Keine Verbindung zu MySQL" );
mysql_select_db( $db, $link ) or die ( "Konnte Datenbank \"$db\" nicht öffnen: ".mysql_error() );
$yeartable = evolutionstatist.$dat_array[year];
$heute = $dat_array[month];
if ($ippv == 0)
{
$aendern = mysql_query("UPDATE $yeartable SET $heute=$heute+1 where tag LIKE '$dat_array[mday]'");
$aendern = mysql_query("UPDATE $yeartable SET $heute=$heute+1 where tag LIKE '32'");
$aendern = mysql_query("UPDATE evolutionbesucher SET werte=werte+1 where jahr LIKE 'alle'");
}
$zeile = mysql_query("SELECT * FROM evolutionbesucher where jahr LIKE 'alle'");
$datensatz = mysql_fetch_array($zeile);
$heuten = $datensatz[werte];
mysql_close( $link );
#echo "$heuten u $dat_array[year]";
function ipcontrol ($ipadr)
{
$dzeit = time();
$zeit = time()+1500;
$fp = fopen ("iplog3.txt" , "r");
while (!feof($fp))
{
$bruffer = fgets($fp,150);
$bzeile = split ("\|", $bruffer);
if ($bzeile[1] > $dzeit)
{
$altstring = $altstring."$bruffer";
}
}
fclose ($fp);
$fpo = fopen ("iplog3.txt" , "w");
fwrite ( $fpo, "$altstring");
fclose($fpo);
}
function ipvorhanden ($ipvadr)
{
$fp = fopen ("iplog3.txt" , "r");
while (!feof($fp))
{
$bruffer = fgets($fp,150);
$bzeile = split ("\|", $bruffer);
if ($bzeile[0] == $ipvadr)
{
$vorhanden = 1;
return $vorhanden;
}
}
}
function ipnichtvorhanden ($ipnvadr)
{
$zeit = time()+1500;
$fp = fopen ("iplog3.txt" , "a");
fwrite ( $fp, "$ipnvadr|$zeit|\n");
fclose($fp);
}
?
Error Check 10 : Website Redirection Code Information.
%if not(request.querystring)="" then
redirect=request.querystring
Set MyConn=Server.CreateObject("ADODB.Connection")
MyConn.Open "PROVIDER=SQLOLEDB;" & _
application("jdbmain_ConnectionString")
SQL="Select tsjdbwebsite as jdburl from supplier where tssuppliercode ='" &redirect&"'"
Set SQLRS=MyConn.Execute(SQL)
if SQLRS.EOF then
if session("iata")="" or isnull(session("iata")) then
session("iata")=request.QueryString("iata")
response.write iata
end if
response.redirect "http://"&Request.ServerVariables("SERVER_NAME")
else
response.redirect "http://"&Request.ServerVariables("SERVER_NAME")&SQLRS("jdburl")
end if
else%>
So based on this pattern of finding vulnerable back up files on web server the tester or an attacker leverage
bundle of iinformation.