From b20cdde4d917b874d19fe8b1f5f7baf0ef5fb50f Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Fri, 3 Aug 2018 17:56:29 +0200
Subject: [PATCH] Adding soffensive's windowsblindread file

---
 .../Intruders/windows-files.txt               | 192 ++++++++++++++++++
 File Inclusion - Path Traversal/README.md     |  31 ++-
 2 files changed, 221 insertions(+), 2 deletions(-)
 create mode 100644 File Inclusion - Path Traversal/Intruders/windows-files.txt

diff --git a/File Inclusion - Path Traversal/Intruders/windows-files.txt b/File Inclusion - Path Traversal/Intruders/windows-files.txt
new file mode 100644
index 00000000..3626c2b1
--- /dev/null
+++ b/File Inclusion - Path Traversal/Intruders/windows-files.txt	
@@ -0,0 +1,192 @@
+C:/MININT/SMSOSD/OSDLOGS/VARIABLES.DAT
+c:/$recycle.bin/s-1-5-18/desktop.ini
+c:/apache/log/access.log
+c:/apache/log/access_log
+c:/apache/log/error.log
+c:/apache/log/error_log
+c:/apache/logs/access.log
+c:/apache/logs/access_log
+c:/apache/logs/error.log
+c:/apache/logs/error_log
+c:/apache/php/php.ini
+c:/apache2/log/access.log
+c:/apache2/log/access_log
+c:/apache2/log/error.log
+c:/apache2/log/error_log
+c:/apache2/logs/access.log
+c:/apache2/logs/access_log
+c:/apache2/logs/error.log
+c:/apache2/logs/error_log
+c:/boot.ini
+c:/documents and settings/administrator/desktop/desktop.ini
+c:/documents and settings/administrator/ntuser.dat
+c:/documents and settings/administrator/ntuser.ini
+c:/home/bin/stable/apache/php.ini
+c:/home2/bin/stable/apache/php.ini
+c:/inetpub/logs/logfiles
+c:/inetpub/wwwroot/global.asa
+c:/inetpub/wwwroot/index.asp
+c:/inetpub/wwwroot/web.config
+c:/log/access.log
+c:/log/access_log
+c:/log/error.log
+c:/log/error_log
+c:/log/httpd/access_log
+c:/log/httpd/error_log
+c:/logs/access.log
+c:/logs/access_log
+c:/logs/error.log
+c:/logs/error_log
+c:/logs/httpd/access_log
+c:/logs/httpd/error_log
+c:/mysql/bin/my.ini
+c:/mysql/data/hostname.err
+c:/mysql/data/mysql.err
+c:/mysql/data/mysql.log
+c:/mysql/my.cnf
+c:/mysql/my.ini
+c:/opt/xampp/logs/access.log
+c:/opt/xampp/logs/access_log
+c:/opt/xampp/logs/error.log
+c:/opt/xampp/logs/error_log
+c:/php/php.ini
+c:/php/sessions/
+c:/php4/php.ini
+c:/php4/sessions/
+c:/php5/php.ini
+c:/php5/sessions/
+c:/program files (x86)/apache group/apache/conf/access.log
+c:/program files (x86)/apache group/apache/conf/error.log
+c:/program files (x86)/apache group/apache/conf/httpd.conf
+c:/program files (x86)/apache group/apache2/conf/httpd.conf
+c:/program files (x86)/filezilla server/filezilla server.xml
+c:/program files (x86)/xampp/apache/conf/httpd.conf
+c:/program files/apache group/apache/conf/httpd.conf
+c:/program files/apache group/apache/logs/access.log
+c:/program files/apache group/apache/logs/error.log
+c:/program files/apache group/apache2/conf/httpd.conf
+c:/program files/apachegroup/apache/conf/httpd.conf
+c:/program files/apachegroup/apache2/conf/httpd.conf
+c:/program files/filezilla server/filezilla server.xml
+c:/program files/mysql/data/hostname.err
+c:/program files/mysql/data/mysql-bin.log
+c:/program files/mysql/data/mysql.err
+c:/program files/mysql/data/mysql.log
+c:/program files/mysql/my.cnf
+c:/program files/mysql/my.ini
+c:/program files/mysql/mysql server 5.0/data/hostname.err
+c:/program files/mysql/mysql server 5.0/data/mysql-bin.log
+c:/program files/mysql/mysql server 5.0/data/mysql.err
+c:/program files/mysql/mysql server 5.0/data/mysql.log
+c:/program files/mysql/mysql server 5.0/my.cnf
+c:/program files/mysql/mysql server 5.0/my.ini
+c:/program files/mysql/mysql server 5.1/my.ini
+c:/program files/xampp/apache/conf/httpd.conf
+c:/program files/xampp/apache/conf/httpd.confetc/passwd
+c:/programfiles/apachegroup/apache/conf/httpd.conf
+c:/programfiles/apachegroup/apache2/conf/httpd.conf
+c:/programfiles/xampp/apache/conf/httpd.conf
+c:/sysprep.inf
+c:/sysprep.xml
+c:/sysprep/sysprep.inf
+c:/sysprep/sysprep.xml
+c:/system volume information/wpsettings.dat
+c:/system32/inetsrv/metabase.xml
+c:/unattend.txt
+c:/unattend.xml
+c:/unattended.txt
+c:/unattended.xml
+c:/users/administrator/desktop/desktop.ini
+c:/users/administrator/ntuser.dat
+c:/users/administrator/ntuser.ini
+c:/windows/csc/v2.0.6/pq
+c:/windows/csc/v2.0.6/sm
+c:/windows/debug/netsetup.log
+c:/windows/explorer.exe
+c:/windows/iis6.log
+c:/windows/iis6.log (5,6 or 7)
+c:/windows/iis7.log
+c:/windows/iis8.log
+c:/windows/notepad.exe
+c:/windows/panther/setupinfo
+c:/windows/panther/setupinfo.bak
+c:/windows/panther/sysprep.inf
+c:/windows/panther/sysprep.xml
+c:/windows/panther/unattend.txt
+c:/windows/panther/unattend.xml
+c:/windows/panther/unattend/setupinfo
+c:/windows/panther/unattend/setupinfo.bak
+c:/windows/panther/unattend/sysprep.inf
+c:/windows/panther/unattend/sysprep.xml
+c:/windows/panther/unattend/unattend.txt
+c:/windows/panther/unattend/unattend.xml
+c:/windows/panther/unattend/unattended.txt
+c:/windows/panther/unattend/unattended.xml
+c:/windows/panther/unattended.txt
+c:/windows/panther/unattended.xml
+c:/windows/php.ini
+c:/windows/repair/sam
+c:/windows/repair/security
+c:/windows/repair/software
+c:/windows/repair/system
+c:/windows/system.ini
+c:/windows/system32/config/appevent.evt
+c:/windows/system32/config/default.sav
+c:/windows/system32/config/regback/default
+c:/windows/system32/config/regback/sam
+c:/windows/system32/config/regback/security
+c:/windows/system32/config/regback/software
+c:/windows/system32/config/regback/system
+c:/windows/system32/config/sam
+c:/windows/system32/config/secevent.evt
+c:/windows/system32/config/security.sav
+c:/windows/system32/config/software.sav
+c:/windows/system32/config/system
+c:/windows/system32/config/system.sa
+c:/windows/system32/config/system.sav
+c:/windows/system32/drivers/etc/hosts
+c:/windows/system32/eula.txt
+c:/windows/system32/inetsrv/config/applicationhost.config
+c:/windows/system32/inetsrv/config/schema/aspnet_schema.xml
+c:/windows/system32/license.rtf
+c:/windows/system32/logfiles/httperr/httperr1.log
+c:/windows/system32/sysprep.inf
+c:/windows/system32/sysprep.xml
+c:/windows/system32/sysprep/sysprep.xml
+c:/windows/system32/sysprepsysprep.inf
+c:/windows/system32/sysprepsysprep.xml
+c:/windows/system32/sysprepunattend.txt
+c:/windows/system32/sysprepunattend.xml
+c:/windows/system32/sysprepunattended.txt
+c:/windows/system32/sysprepunattended.xml
+c:/windows/system32/unattend.txt
+c:/windows/system32/unattend.xml
+c:/windows/system32/unattended.txt
+c:/windows/system32/unattended.xml
+c:/windows/temp/
+c:/windows/win.ini
+c:/windows/windowsupdate.log
+c:/winnt/php.ini
+c:/winnt/win.ini
+c:/xampp/apache/bin/php.ini
+c:/xampp/apache/conf/httpd.conf
+c:/xampp/apache/logs/access.log
+c:/xampp/apache/logs/error.log
+c:/xampp/filezillaftp/filezilla server.xml
+c:/xampp/filezillaftp/logs
+c:/xampp/filezillaftp/logs/access.log
+c:/xampp/filezillaftp/logs/error.log
+c:/xampp/mercurymail/logs/access.log
+c:/xampp/mercurymail/logs/error.log
+c:/xampp/mercurymail/mercury.ini
+c:/xampp/mysql/data/mysql.err
+c:/xampp/php/php.ini
+c:/xampp/phpmyadmin/config.inc
+c:/xampp/phpmyadmin/config.inc.php
+c:/xampp/phpmyadmin/phpinfo.php
+c:/xampp/sendmail/sendmail.ini
+c:/xampp/sendmail/sendmail.log
+c:/xampp/tomcat/conf/tomcat-users.xml
+c:/xampp/tomcat/conf/web.xml
+c:/xampp/webalizer/webalizer.conf
+c:/xampp/webdav/webdav.txt
diff --git a/File Inclusion - Path Traversal/README.md b/File Inclusion - Path Traversal/README.md
index 087458e3..c292bd2d 100644
--- a/File Inclusion - Path Traversal/README.md	
+++ b/File Inclusion - Path Traversal/README.md	
@@ -18,7 +18,7 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 
 
-Interesting files to check out :
+Linux - Interesting files to check out :
 ```
 /etc/issue
 /etc/passwd
@@ -38,6 +38,32 @@ Interesting files to check out :
 /proc/net/tcp
 /proc/net/udp
 ```
+
+Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
+```
+c:/boot.ini
+c:/inetpub/logs/logfiles
+c:/inetpub/wwwroot/global.asa
+c:/inetpub/wwwroot/index.asp
+c:/inetpub/wwwroot/web.config
+c:/sysprep.inf
+c:/sysprep.xml
+c:/sysprep/sysprep.inf
+c:/sysprep/sysprep.xml
+c:/system32/inetsrv/metabase.xml
+c:/sysprep.inf
+c:/sysprep.xml
+c:/sysprep/sysprep.inf
+c:/sysprep/sysprep.xml
+c:/system volume information/wpsettings.dat
+c:/system32/inetsrv/metabase.xml
+c:/unattend.txt
+c:/unattend.xml
+c:/unattended.txt
+c:/unattended.xml
+```
+
+
 The following log files are controllable and can be included with an evil payload to achieve a command execution
 ```
 /var/log/apache/access.log
@@ -210,4 +236,5 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
-* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
\ No newline at end of file
+* [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
+* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
\ No newline at end of file