Tuesday, May 1, 2012

From LOW to PWNED [4] Browsable Directories


Post [4] Browsable Directories

"Index of" can be your friend and the  same with "web mirroring". Unfortunately, and also to the point of the talk/series you have to go look at this crap.  It's *usually* not important. stuff like the /icons/ in Apache.


But every now and then pure gold will show up.  so you have to go look at it.

LOW?


So some examples of browsable directories that were not /icons/  :-)





yeah yeah but real world?! so for story time, we were doing a PT, the site had SQL Injection so were able to pull down lots of data but the sensitive stuff was *encrypted* so we were kinda stuck.  Poking around further we found a directory with indexing enabled. what was there?  database backup and a site back up with the decryptMe PHP function along with the current encrypt key :-)  All from a "low" vulnerability.


CG

4 comments:

Anonymous said...

Excellent! All too often we as pen testers overlook such findings for various reasons (time limits, number of machines, etc). This is a great reminder that we need to look at the bigger picture.

jcran said...

got any suggestions for better automated checks? -- absence of the word 'icons' -- keywords? -- number of directories available? -- types of files?

scanners with tiny humans inside?

CG said...

excellent question...dont have an immediate answer for you though jcran.

Ficti0n said...

Jcran, you could easily just setup 10 line python script to request a list of pages from your nexpose scanner results on browse-able directories.. Then simply request the pages from the list and do a regex on the response. Just match on certain extensions such as doc, cfg, sql, php, aspx, backup, copy etc etc Then print out what was found extension wise.

This in my opinion isn't the greatest idea because a lot can still be missed but its better then not checking them at all. I feel browse able directories are usually just an open door half the time if find them so always worth manually checking.