Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 47
Members: 0
Total: 47
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> A few questions ... Goto page Previous1, 2
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Fri May 23, 2008 12:46 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




In dir _vti_pvt have file service.pwd.inside in this file is stored your password hash.

to waraxe

Там Suhosin Extension и много чего сделать почти невозможно.Имхо надо искать по логам где хранятся backup's.В диров других юзеров наверно у него прав не будет.

Вот такое

drwxr-x--- 2 fakeuser nobody 4096 Dec 27 21:32 _vti_pvt

..немного дает надеждъй но наверно на файл service.pwd из nobody не будет прав на просмотр....етц,а если будет прав то сервак можно взять целиком.
View user's profile Send private message
PostPosted: Fri May 23, 2008 1:00 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yes, it is obvious, that server admin knows about security (hardened php, *bsd opsystem), so probably cross-neighbour attacks are hard to make happen. But this is just guess. Without comprehensive tests it's just speculation, there can be insecurities everywhere Wink

By the way, this server seems to be full of various users:

http://search.msn.com/results.aspx?q=ip%3A208.87.241.96&FORM=MSNH

Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 23, 2008 3:19 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Ok about the service.pwd file there was something inside like:


Code:

# -FrontPage-
<username>:$3$bhS4wQs1$Jt6Hy/z.ril11CtvCTO299


I changed the information, cause as you mentioned it seems like it is my password Very Happy md5 .. but I do not use frontpage and I have not placed the files their ...

About the 4th snippet, I only get:
Code:

Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory

Parse error: syntax error, unexpected ';' in /home/<username>/public_html/work/4.php on line 13


I fixed the code and get:

Code:
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory



-------------------------
/home/saduser
total 88
drwxr-xr-x 12 saduser saduser 4096 May 23 05:56 .
drwxr-xr-x 3 root root 4096 May 23 00:16 ..
-rw-r--r-- 1 saduser saduser 6148 May 23 03:17 .DS_Store
-rw-r----- 1 saduser saduser 4096 May 23 05:40 ._bash_profile
-rw------- 1 saduser saduser 423 May 23 07:05 .bash_history
-rw-r----- 1 saduser saduser 383 May 23 05:40 .bash_profile
-rw------- 1 saduser saduser 27 Mar 4 10:11 .contactemail
drwxr-xr-x 3 saduser saduser 4096 Jan 10 23:52 .cpaddons
drwxr-xr-x 5 saduser saduser 4096 Feb 3 00:56 .cpanel
-rw------- 1 saduser saduser 11 May 23 01:02 .ftpquota
dr--r--r-- 3 saduser saduser 4096 Jan 5 09:40 .htpasswds
-rw------- 1 saduser saduser 14 Feb 3 00:56 .lastlogin
-rw------- 1 saduser saduser 93 Jan 25 16:04 .mysql_history
drwx------ 2 saduser saduser 4096 Jan 1 04:49 .trash
lrwxrwxrwx 1 saduser saduser 31 Jan 12 07:28 access-logs -> /usr/local/apache/domlogs/saduser
-rw-r--r-- 1 saduser saduser 6 Feb 2 00:47 assp_cpanel_log
drwxr-xr-x 5 saduser saduser 4096 Apr 1 05:30 django
drwxr-xr-x 3 saduser saduser 4096 Jan 20 01:31 etc
drwxr-x--- 6 saduser mail 4096 Dec 28 00:31 mail
drwxr-xr-x 3 saduser saduser 4096 May 23 01:02 public_ftp
drwxr-x--- 14 saduser nobody 4096 May 23 03:12 public_html
drwxr-xr-x 7 saduser saduser 4096 Jan 25 15:46 tmp
lrwxrwxrwx 1 saduser saduser 11 Jan 12 07:28 www -> public_html

-------------------------
/home
total 12
drwxr-xr-x 3 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
drwxr-xr-x 12 saduser saduser 4096 May 23 05:56 saduser

-------------------------
/
total 78
drwxr-xr-x 13 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
drwxr-xr-x 2 root root 4096 May 22 18:48 bin
-rwxr-xr-x 1 root root 1320 May 23 08:06 checkvirtfs
drwxr-xr-x 11 root root 4160 May 22 23:34 dev
drwxr-xr-x 4 root root 4096 May 23 00:16 etc
drwxr-xr-x 3 root root 4096 May 23 00:16 home
drwxr-xr-x 11 root root 4096 May 23 01:15 lib
drwxr-xr-x 8 root root 4096 May 23 01:15 lib64
drwxr-xr-x 11 root root 4096 May 22 21:17 opt
dr-xr-xr-x 178 root root 0 May 22 23:33 proc
drwxrwxrwt 22 root root 17408 May 23 08:14 tmp
drwxr-xr-x 12 root root 4096 May 23 00:16 usr
drwxr-xr-x 7 root root 4096 May 23 00:16 var

-------------------------
array(7) {
["name"]=>
string(5) "saduser"
["passwd"]=>
string(1) "x"
["uid"]=>
int(43516)
["gid"]=>
int(43518)
["gecos"]=>
string(0) ""
["dir"]=>
string(11) "/home/saduser"
["shell"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
}

-------------------------



again I changed my username Very Happy

the .DS_Store files in here are created from my Mac, while accessing via FUSE.

That's it! about the large number of other users you have seen on the server, that is because it is a free hosting program.

Regrades Snoop1990
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 3:37 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




But one more thing, can you please tell me what you are looking for ? Cause I would be very please to be able to do this php security check on my own. So if I switch to another host in future time I do not have to do it all again.

What I understand so far is:
phpinfo(); shows general information about the system, the version and the variables in php, but can you please tell me, which are potential security holes? Which variables have to be disabled ?

The second step was to check for /etc/master.passwd sure if this file is available you can easily get the password by testing the maximum length and if special characters are supported (there are not that much potential MD5s)

then you did some ls, mmh I do not understand this, what are you looking for ? or is it just a try to see if it is possible ?

then you check which directory we are in and then check posix and the globals. So here again, which are insecure ? which should be disabled ?

In the next snippet you check for even more files and again check something with posix ... please just tell me what you are looking for, please !
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 7:18 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




It's too many questions for me, i can talk about this issues hours and hours ...
But one thing is clear - your current hosting is secure against cross-neighbour attacks. I mean: if someone hacks into the website, that is hosted on same server, and if attacker gets php code level and opsystem shell level access, then he/she is unable to leverage his presence to other websites. Or vice versa - you have there shell and php access, but you can't read other website's files, right?
Main reason fro such thoughts is bsd Jailing, used in that server. It's kind of sandboxing, and it's not easy to escape it. So this hosting is good from cross-user point of view.
Now that "master.passwd". If you could read it, then it's not fatal. It's not containing password hashes, only usernames, uids, gids and some other stuff. It's just usual test about opsystem files readability. Password hashes are in "master.shadow" file, which can be read only by root user. And those hashes are not usual md5, but >1000 times rehashed hashes. So cracking them is real pain in a$$ and good passes are uncrackable.
There is much more i wanted to talk here, but i'm to tired for today.
See ya Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 23, 2008 7:28 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Thank you for your response that far. If you find some time I would be very pleased if you can teach me something more about security and such things. It is a really interesting topic and I wanted to learn all time, but I did known where to start. Now I found your forum and I am really happy about it. But as I said in another topic I do not want to be one of those script kids who just copy paste code. I want to understand what I am doing and how to prevent myself and others from being hacked. And I think you are the kind of guy who knows a lot about all these so I would be very pleas to learn some of your tricks.

Regrades Snoop1990
View user's profile Send private message Visit poster's website
A few questions ...
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 2 of 2
Goto page Previous1, 2
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.047 Seconds