Windows and Linux Sensitive Directory Path Summary

Abstract: This article describes how to exploit file inclusion and arbitrary file download vulnerabilities. It provides file lookup commands for different operating systems, lists common configuration file names for Apache, MySQL, PHP, etc., and mentions sensitive files and information, such as probe pages, system files, and critical paths in content management systems (CMS). In addition, default paths for website building tools such as XAMPP and phpStudy are covered, along with relevant files for common CMS platforms.

0x01 Basic Information

When encountering vulnerabilities such as file inclusion or arbitrary file download, the information in this article can be utilised to facilitate subsequent attacks.

0x02 Configuration Files

Finding Files

If command execution is possible, use the lookup commands directly.

Linux-related commands:

# Find a file
find / -name filename.ext

# Search entire disk for files containing 'flag'
grep flag -r /

Windows-related commands:

# Search entire disk for a file; be sure to add an asterisk!
for /r c:\ %i in (password.txt*) do @echo %i
for /r c:\ %i in (*.ini) do @echo %i

# Search drive C: for files containing the string 'password'; double quotes are required!
findstr /s /n "password" c:\*

# Check whether pwd.txt contains the string 'password'; double quotes are required!
find /N /I "password" pwd.txt

Common Configuration File Names

# Apache
httpd.conf

# MySQL
my.ini

# Virtual host configuration
httpd-vhosts.conf

# IIS
metabase.xml
applicationHost.config

# SSH
/etc/ssh/sshd_config

# Nginx
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default

# PHP
php.ini

# WebLogic (read password)
./security/SerializedSystemIni.dat
./config/config.xml

Apache

# Configuration file path
/etc/httpd/conf/httpd.conf

# Default site path
/var/www/html/

# Ubuntu configuration file
/etc/apache2/apache2.conf

# Access log and error log
/private/var/log/apache2/error_log
/private/var/log/apache2/access_log

IIS

# Configuration file
web.config

MySQL

# Configuration file
/etc/my.cnf
/etc/mysql/my.cnf

phpMyAdmin

# Configuration file
config.inc.php

# Default path
/var/www/phpmyadmin/config.inc.php

XAMPP Suite

Related paths:

# Website default path
xampp\htdocs

# Apache basic configuration
xampp\apache\conf\httpd.conf

# Apache SSL
xampp\apache\conf\ssl.conf

# Apache Perl (plugin only)
xampp\apache\conf\perl.conf

# Apache Tomcat (plugin only)
xampp\apache\conf\java.conf

# Apache Python (plugin only)
xampp\apache\conf\python.conf

# Virtual hosts
xampp/apache/conf/extra/httpd-vhosts.conf

# PHP
xampp\php\php.ini

# Database default path
xampp\mysql\data

# MySQL
xampp\mysql\bin\my.ini

# phpMyAdmin
xampp\phpMyAdmin\config.inc.php

# FileZilla FTP server
xampp\FileZilla

# FTP/FileZilla Server.xml
Mercury

# Mercury mail server basic configuration
xampp\MercuryMail\MERCURY.INI

# Sendmail
xampp\sendmail\sendmail.ini

Default passwords:

# MySQL
User: root   Password: (empty)

# FileZilla FTP
User: newuser   Password: wampp
User: anonymous   Password: some@mail.net

# Mercury
Postmaster: postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
TestUser: newuser   Password: wampp

# WEBDAV
User: wampp   Password: xampp

phpStudy Suite

Earlier versions of the phpStudy suite were reported to be problematic, with issues such as port conflicts and poor database management. However, when tested again on Windows (as of August 2019), these problems were no longer observed, reflecting the rapid evolution of technology and product updates.

There is also a Pro version, so the paths have changed accordingly. This summary takes the Pro version as an example; for the standard version, simply remove 'Pro'.

Related paths:

# Root directory
phpstudy\WWW
phpstudy_pro\WWW

# phpMyAdmin
phpstudy_pro\WWW\phpMyAdmin4.8.5

# PHP: In the Pro version, plugins are displayed as extensions.
phpstudy_pro\Extensions\php\php7.3.4nts\php.ini

0x03 Sensitive Files

Probe Information

When using XAMPP/LAMPP/phpStudy/PHPnow, some probe pages may be left behind, revealing useful information, such as Document_Root (representing the website root directory) and session.save_path (storing session information).

1.php
l.php
p.php
probe.php
test.php
info.php
phpinfo.php

Windows

# View system version
c:\boot.ini

# IIS configuration file
c:\windows\system32\inetsrv\MetaBase.xml

# Stores the initial installation password for Windows
c:\windows\repair\sam

# MySQL configuration
c:\ProgramFiles\mysql\my.ini

# MySQL root password
c:\ProgramFiles\mysql\data\mysql\user.MYD

# PHP configuration information
c:\windows\php.ini

Linux

Basic Linux privilege escalation paths:

# Account information
/etc/passwd

# Account password file
/etc/shadow

# Apache2 default configuration file
/usr/local/app/apache2/conf/httpd.conf

# Virtual website configuration
/usr/local/app/apache2/conf/extra/httpd-vhost.conf

# PHP configuration file
/usr/local/app/php5/lib/php.ini

# Apache configuration file
/etc/httpd/conf/httpd.conf

# MySQL configuration file
/etc/my.conf

0x04 Common CMS Examples

CMS-A

/member/templets/menulit.php
/plus/paycenter/alipay/return_url.php
/plus/paycenter/cbpayment/autoreceive.php
/paycenter/nps/config_pay_nps.php
/plus/task/dede-maketimehtml.php
/plus/task/dede-optimize-table.php
/plus/task/dede-upcache.php

CMS-B

/wp-admin/includes/file.php
/wp-content/themes/theme-name/footer.php

CMS-C

/api/cron.php
/wap/goods.php
/temp/compiled/ur_here.lbi.php
/temp/compiled/pages.lbi.php
/temp/compiled/user_transaction.dwt.php
/temp/compiled/history.lbi.php
/temp/compiled/page_footer.lbi.php
/temp/compiled/goods.dwt.php
/temp/compiled/user_clips.dwt.php
/temp/compiled/goods_article.lbi.php
/temp/compiled/comments_list.lbi.php
/temp/compiled/recommend_promotion.lbi.php
/temp/compiled/search.dwt.php
/temp/compiled/category_tree.lbi.php
/temp/compiled/user_passport.dwt.php
/temp/compiled/promotion_info.lbi.php
/temp/compiled/user_menu.lbi.php
/temp/compiled/message.dwt.php
/temp/compiled/admin/pagefooter.htm.php
/temp/compiled/admin/page.htm.php
/temp/compiled/admin/start.htm.php
/temp/compiled/admin/goods_search.htm.php
/temp/compiled/admin/index.htm.php
/temp/compiled/admin/order_list.htm.php
/temp/compiled/admin/menu.htm.php
/temp/compiled/admin/login.htm.php
/temp/compiled/admin/message.htm.php
/temp/compiled/admin/goods_list.htm.php
/temp/compiled/admin/pageheader.htm.php
/temp/compiled/admin/top.htm.php
/temp/compiled/top10.lbi.php
/temp/compiled/member_info.lbi.php
/temp/compiled/bought_goods.lbi.php
/temp/compiled/goods_related.lbi.php
/temp/compiled/page_header.lbi.php
/temp/compiled/goods_script.html.php
/temp/compiled/index.dwt.php
/temp/compiled/goods_fittings.lbi.php
/temp/compiled/myship.dwt.php
/temp/compiled/brands.lbi.php
/temp/compiled/help.lbi.php
/temp/compiled/goods_gallery.lbi.php
/temp/compiled/comments.lbi.php
/temp/compiled/myship.lbi.php
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/includes/modules/cron/auto_manage.php
/includes/modules/cron/ipdel.php

CMS-D

/admin/inc/hack/count.php?job=list
/admin/inc/hack/search.php?job=getcode
/admin/inc/ajax/bencandy.php?job=do
/cache/MysqlTime.txt
/cms-root/

CMS-E

/lib/mods/celive/menu_top.php
/lib/default/ballot_act.php
/lib/default/special_act.php