LFI?

I was messing around and pentesting a site, and I found a secured dir named admin/ so I tried to LFI the dir and i got this…

Server Error in '/COISDDCP' Application. Runtime Error Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!– Web.Config Configuration File –>

<configuration> <system.web> <customErrors mode="Off"/> </system.web> </configuration>

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!– Web.Config Configuration File –>

<configuration> <system.web> <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/> </system.web> </configuration>

And so I ask does this mean it is possible to view the dir through this technique or should i try another way?

EDIT: BTW This is what i did for the url
https://www.SOMEEDITEDNAME.com/*********/DesktopDefault.aspx?tabid=/Admin/Security/

Wow… i posted the same damn message before and ppl ignored me since it sounded noob

http://www.hellboundhackers.org/forum/stealing_cookies-14-13475_0.html

i was trying RFI in my school's pc, and i found out the same message. And i realized that it was the same for XSS and many other types of injections.

hey man, was the network programmed by linksys?

no i have comments with these names

dotnetduke Shaun Walker

never heard of them though EDIT: I also understand that tabid is the page definition now. so tabid=1-some other number is the homepage and if i guess and test other numbers i get other peoples pages.

No its not, Its an error message that tells you only the (server) can make it an lfi. If you can get to the config file and edit it then you could possably make it work! But the rest of the error is just telling you how to make custom error messages. Its a good find tho, because a site shouldent display errors to anyone! So it may still be exploitable!

If you can get a shell up you most likley can get to the config file. Try to upload a shell on a site as a text file. and see if you can get a rfi. Then execute it as php.

I have found this also,

https://www..com//DesktopDefault.aspx?tabid=700&ctl=login and https://www..com//DesktopDefault.aspx?tabid=700&ctl=loggedin

both bring up a page but the second is blank

is that exploitable in any way if so what should i look up?

BUMP

We're not here to hold your hand. With the supplied information, all we can do is make uneducated guesses.