Let's make a tool together

Only via the forum. Ok, more of a wordlist. Yeah I know, somebody's gonna spoil with an uber-complete, well-updated git.

If there's enough feedback I'll assemble it in the end.

You think you know all common documentroots? Even the default path of xampp 1.0 on WindowsXP?

Everyone answer with a new wwwroot that's not on the list yet. I start:

Comments

  • /var/www/vhosts/example.org/htdocs/

    (Default Plesk path, you need to know the Domain name)
  • What's this all about brother ?

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Why don't you read the text? Just post a typical doc-root of common and less common webservers.
  • No time! Busy doing things from scratch for every box that comes out :wink:

  • Wow so now we're down to active forum trolling. This place is going through the roof, so much fun to have.

    It's a forum game, if you don't get it or don't wanna take part, then don't.
  • @sparkla could you say something about why this is of interest to you exactly?
    Currently I collect like log files, config files, stuff like that, but I haven't really thought about collecting these.
    Would you be willing to give an example where this could come in handy?
  • Whenever we have to do some blind LFI / CE stuff, when we are able to upload a file via a web app and possibly call it via path traversal (blind, no directory listing). I came across so many unkown wevserver projects and possible (mis-)configurations that I think it could be a valuable list for everyone. I never documented these pathes, but it would be fun if everyone just dropped the one they just found...
  • edited September 2020
    Thanks the example. You're right man. I do agree this would be a very valuable list, certainly when automating the exploitation part of LFI (as in autoindexing valuable reachable files).

    I'll be keeping an eye for them, but it actually never crossed my mind, so currently I have none to contribute,well, except the docroots everyone already knows.
Sign In to comment.