Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 52
Members: 0
Total: 52
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> A few questions ... Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
A few questions ...
PostPosted: Thu May 22, 2008 9:08 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Hey,
I have a webside at profusehost.net (an free US Webhost, which is down at the moment cause of server issue (not my fault) ). Now I read several things about neighbor hacks and my question is how secure are my files ? Is it possible to get from one account into another (sign up is free so everybody can become my neighbor)? I mean some people talked about that it is quite easy as soon as you are able to execute code there are nearly no limits, ture ? It really scares me to read all this so I hope somebody in here might answer my questions.

Ahhh and just some more. ...
As far as I am familiar with hacking (did some (very) small hacks in my early kids time) you bruteforce the password or have a list with possible passwords or both. Then you run this process through a list of proxies (tunnel it via the http port). This way the time you need to crack a 12 character password is limited. So each password is going to be cracked if you just have enough time. Now my question is how to setup a password that changes in time ? what I want is a script (for unix based operation systems) which generates a new password each 5 to 10 minutes. The new password should be created by using the actual time as public key and a secret password as private key. Now the person who wants to login needs a specific tool to create the right password (from his private key and the time) (standard RSA). The bad thing is, if the hacker however gets the tool, which is used to generate the keys, he will be able to enter. But 99.99% of all brute force attacks won't succeed.

So my first question to the second part is, is it possible ? and which operation system is best to use FreeBSD ? a Linux version (maybe build from scratch)? Maybe somebody already build a similar system ?

These are my first questions more to follow ...
Regrades Snoop1990

_________________
http://snoop1990.co.cc

"I don't hack, I only surf the web to search for security holes ! To prevent my clients and me from being hacked !"
View user's profile Send private message Visit poster's website
PostPosted: Thu May 22, 2008 9:40 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




1. If you are hosting your website on shared server, then all depends on server admins professional level. It can be (almost) impossible to go from php level to opsystem shell (if safe_mode is on and security is tighten up) or even if shell access is possible, then cross-user file access can be prevented (suexec, etc). But i must say, that practically speaking most of the real world shared hosting servers are not secure enough against "cross-neighbour" attacks. So my suggestion is - try it out yourself and find out, how secure your hosting is.

2. You mean something like this?

http://en.wikipedia.org/wiki/One_time_password

But don't think, that online password bruteforce is so easy. No no no.
Even 6 chars long loweralpha is hard to crack via online bruteforce. And think about all the noise - thousands (or millions) log entries, IDS alerts, possible DoS conditions. And besides, usually there is some anti-brute-force solutions in place, which will lock out account or just slow down the auth proccess. And bruteforce via proxy or chain of proxies will be even slower. So if you have good password, then i dont think, that you should fear online bruteforce. Just avoid using same password in various places Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 22, 2008 9:50 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




waraxe wrote:
So my suggestion is - try it out yourself and find out, how secure your hosting is.
how to ? can you provide me some basic tutorial, so I can test my hosting service. (of course only on two accounts that both belong to me)
waraxe wrote:

2. You mean something like this?

http://en.wikipedia.org/wiki/One_time_password

Yes, I just do not know the phrase to search for Wink

waraxe wrote:

... And bruteforce via proxy or chain of proxies will be even slower. ...

This brings up another question, is it possible to be locked through and proxy ? I mean is it possible to resolve the hackers Ip behind the proxy ?
View user's profile Send private message Visit poster's website
PostPosted: Thu May 22, 2008 10:03 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




There are various proxy-thingies: http proxies, socks, Tor (Onion Routing), bounchers, cgi-proxies, ...
Most common is http proxy. It can be non-anonymous (transparent), in this case proxy will emit X_FORWARDED_FOR or other http header and target server can "see", who is behind proxy. Next, there are truly anonymous proxies, and in this case hacking victim must contact with proxy owner and ask for logs. IF logs exist (there can be logging turned off, logs can be periodically deleted, hacker can delete logs and fromat HDD, etc) and IF proxy owner is willing to co-operate, then you can get one step closer to attacker. And if that ip address points to other proxy, then repeat this as many times as needed. Now think about proxy server in China or Somalia or Libya or in North Korea Smile
Still, backtrace can be possible and all depends on power of the investigators.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 22, 2008 10:12 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




waraxe wrote:
And if that ip address points to other proxy, then repeat this as many times as needed. Now think about proxy server in China or Somalia or Libya or in North Korea Smile
Still, backtrace can be possible and all depends on power of the investigators.

So I guess such hackers are nearly impossible to get ... Maybe the FBI can but I cannot ...

The other thing is you suggested
waraxe wrote:
So my suggestion is - try it out yourself and find out, how secure your hosting is.
So please give me some advice where to look for such information ... Thank you !
View user's profile Send private message Visit poster's website
PostPosted: Thu May 22, 2008 10:19 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




First:

Code:

<?php
phpinfo();
?>


This will show you lots of information about php configuration.
Look for "safe_mode", "disable_functions", "open_basedir", "log_errors", "upload_tmp_dir" and other settings.
If "safe_mode=Off", then let me know and i can suggest next tests.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 22, 2008 10:26 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Ok, I am going to post the information as soon as the servers are back online. Thanks again. Regrades Snoop1990
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 8:32 am Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




I did the phpinfo via bash, cause the http port is blocked (they still have to setup some things) ...

Here it is:

Code:

bash-3.1$ php index.php
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
phpinfo()
PHP Version => 5.2.6

System => Linux duck.unixbsd.info 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:35:07 EDT 2008 x86_64
Build Date => May 22 2008 23:51:27
Configure Command => './configure' '--enable-bcmath' '--enable-calendar' '--enable-dbase' '--enable-exif' '--enable-ftp' '--enable-gd-native-ttf' '--enable-libxml' '--enable-magic-quotes' '--enable-mbstring' '--enable-pdo=shared' '--enable-sockets' '--enable-zip' '--prefix=/usr/local' '--with-apxs=/usr/local/apache/bin/apxs' '--with-bz2' '--with-curl=/opt/curlssl/' '--with-curlwrappers' '--with-freetype-dir=/usr' '--with-gd' '--with-gettext' '--with-imap=/opt/php_with_imap_client/' '--with-imap-ssl=/usr' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-libdir=lib64' '--with-libexpat-dir=/usr' '--with-libxml-dir=/opt/xml2/' '--with-mcrypt=/opt/libmcrypt/' '--with-mhash=/opt/mhash/' '--with-mysql=/usr' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=/usr/bin/mysql_config' '--with-openssl=/usr' '--with-openssl-dir=/usr' '--with-pdo-mysql=shared' '--with-pdo-sqlite=shared' '--with-pic' '--with-png-dir=/usr' '--with-pspell' '--with-sqlite=shared' '--with-tidy=/opt/tidy/' '--with-ttf' '--with-xmlrpc' '--with-xpm-dir=/usr' '--with-xsl=/opt/xslt/' '--with-zlib' '--with-zlib-dir=/usr' '--without-iconv'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
PHP API => 20041225
PHP Extension => 20060613
Zend Extension => 220060519
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
IPv6 Support => enabled
Registered PHP Streams => zip, php, file, data, tftp, ftp, telnet, dict, http, https, ftps, compress.bzip2, compress.zlib
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters => string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, bzip2.*, zlib.*


This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Suhosin v0.9.23, Copyright (c) 2007, by SektionEins GmbH
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies


_______________________________________________________________________


Configuration

PHP Core

Directive => Local Value => Master Value
allow_call_time_pass_reference => On => On
allow_url_fopen => On => On
allow_url_include => Off => Off
always_populate_raw_post_data => Off => Off
arg_separator.input => & => &
arg_separator.output => & => &
asp_tags => Off => Off
auto_append_file => no value => no value
auto_globals_jit => On => On
auto_prepend_file => no value => no value
browscap => no value => no value
default_charset => no value => no value
default_mimetype => text/html => text/html
define_syslog_variables => Off => Off
disable_classes => no value => no value
disable_functions => no value => no value
display_errors => STDOUT => STDOUT
display_startup_errors => Off => Off
doc_root => no value => no value
docref_ext => no value => no value
docref_root => no value => no value
enable_dl => On => On
error_append_string => no value => no value
error_log => error_log => error_log
error_prepend_string => no value => no value
error_reporting => 6135 => 6135
expose_php => On => On
extension_dir => /usr/local/lib/php/extensions/no-debug-non-zts-20060613 => /usr/local/lib/php/extensions/no-debug-non-zts-20060613
file_uploads => On => On
highlight.bg => <font style="color: #FFFFFF">#FFFFFF</font> => <font style="color: #FFFFFF">#FFFFFF</font>
highlight.comment => <font style="color: #FF8000">#FF8000</font> => <font style="color: #FF8000">#FF8000</font>
highlight.default => <font style="color: #0000BB">#0000BB</font> => <font style="color: #0000BB">#0000BB</font>
highlight.html => <font style="color: #000000">#000000</font> => <font style="color: #000000">#000000</font>
highlight.keyword => <font style="color: #007700">#007700</font> => <font style="color: #007700">#007700</font>
highlight.string => <font style="color: #DD0000">#DD0000</font> => <font style="color: #DD0000">#DD0000</font>
html_errors => Off => Off
ignore_repeated_errors => Off => Off
ignore_repeated_source => Off => Off
ignore_user_abort => Off => Off
implicit_flush => On => On
include_path => .:/usr/lib/php:/usr/local/lib/php => .:/usr/lib/php:/usr/local/lib/php
log_errors => On => On
log_errors_max_len => 1024 => 1024
magic_quotes_gpc => On => On
magic_quotes_runtime => Off => Off
magic_quotes_sybase => Off => Off
mail.force_extra_parameters => no value => no value
max_execution_time => 0 => 0
max_input_nesting_level => 64 => 64
max_input_time => -1 => -1
memory_limit => 32M => 32M
open_basedir => no value => no value
output_buffering => 0 => 0
output_handler => no value => no value
post_max_size => 8M => 8M
precision => 12 => 12
realpath_cache_size => 16K => 16K
realpath_cache_ttl => 120 => 120
register_argc_argv => On => On
register_globals => Off => Off
register_long_arrays => On => On
report_memleaks => On => On
report_zend_debug => Off => Off
safe_mode => Off => Off
safe_mode_exec_dir => no value => no value
safe_mode_gid => Off => Off
safe_mode_include_dir => no value => no value
sendmail_from => no value => no value
sendmail_path => /usr/sbin/sendmail -t -i => /usr/sbin/sendmail -t -i
serialize_precision => 100 => 100
short_open_tag => On => On
SMTP => localhost => localhost
smtp_port => 25 => 25
sql.safe_mode => Off => Off
track_errors => Off => Off
unserialize_callback_func => no value => no value
upload_max_filesize => 2M => 2M
upload_tmp_dir => no value => no value
user_dir => no value => no value
variables_order => EGPCS => EGPCS
xmlrpc_error_number => 0 => 0
xmlrpc_errors => Off => Off
y2k_compliance => On => On
zend.ze1_compatibility_mode => Off => Off

bcmath

BCMath support => enabled

bz2

BZip2 Support => Enabled
Stream Wrapper support => compress.bz2://
Stream Filter support => bzip2.decompress, bzip2.compress
BZip2 Version => 1.0.3, 15-Feb-2005

calendar

Calendar support => enabled

ctype

ctype functions => enabled

curl

cURL support => enabled
cURL Information => libcurl/7.18.1 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

date

date/time support => enabled
"Olson" Timezone Database Version => 2008.2
Timezone Database => internal
Default timezone => America/Los_Angeles

Directive => Local Value => Master Value
date.default_latitude => 31.7667 => 31.7667
date.default_longitude => 35.2333 => 35.2333
date.sunrise_zenith => 90.583333 => 90.583333
date.sunset_zenith => 90.583333 => 90.583333
date.timezone => no value => no value

dom

DOM/XML => enabled
DOM/XML API Version => 20031129
libxml Version => 2.6.32
HTML Support => enabled
XPath Support => enabled
XPointer Support => enabled
Schema Support => enabled
RelaxNG Support => enabled

exif

EXIF Support => enabled
EXIF Version => 1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $
Supported EXIF Version => 0220
Supported filetypes => JPEG,TIFF

filter

Input Validation and Filtering => enabled
Revision => $Revision: 1.52.2.42 $

Directive => Local Value => Master Value
filter.default => unsafe_raw => unsafe_raw
filter.default_flags => no value => no value

ftp

FTP support => enabled

gd

GD Support => enabled
GD Version => bundled (2.0.34 compatible)
FreeType Support => enabled
FreeType Linkage => with freetype
FreeType Version => 2.2.1
GIF Read Support => enabled
GIF Create Support => enabled
JPG Support => enabled
PNG Support => enabled
WBMP Support => enabled
XPM Support => enabled
XBM Support => enabled

gettext

GetText Support => enabled

hash

hash support => enabled
Hashing Engines => md2 md4 md5 sha1 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru gost adler32 crc32 crc32b haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5

imap

IMAP c-Client Version => 2004
SSL Support => enabled
Kerberos Support => enabled

json

json support => enabled
json version => 1.2.1

libxml

libXML support => active
libXML Version => 2.6.32
libXML streams => enabled

mbstring

Multibyte Support => enabled
Multibyte string engine => libmbfl
Multibyte (japanese) regex support => enabled
Multibyte regex (oniguruma) version => 4.4.4
Multibyte regex (oniguruma) backtrack check => On

mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.

Directive => Local Value => Master Value
mbstring.detect_order => no value => no value
mbstring.encoding_translation => Off => Off
mbstring.func_overload => 0 => 0
mbstring.http_input => pass => pass
mbstring.http_output => pass => pass
mbstring.internal_encoding => ISO-8859-1 => no value
mbstring.language => neutral => neutral
mbstring.strict_detection => Off => Off
mbstring.substitute_character => no value => no value

mcrypt

mcrypt support => enabled
Version => 2.5.7
Api No => 20021217
Supported ciphers => cast-128 gost rijndael-128 twofish arcfour cast-256 loki97 rijndael-192 saferplus wake blowfish-compat des rijndael-256 serpent xtea blowfish enigma rc2 tripledes
Supported modes => cbc cfb ctr ecb ncfb nofb ofb stream

Directive => Local Value => Master Value
mcrypt.algorithms_dir => no value => no value
mcrypt.modes_dir => no value => no value

mhash

MHASH support => Enabled
MHASH API Version => 20060101

mysql

MySQL Support => enabled
Active Persistent Links => 0
Active Links => 0
Client API version => 5.0.45
MYSQL_MODULE_TYPE => external
MYSQL_SOCKET => /var/lib/mysql/mysql.sock
MYSQL_INCLUDE => -I/usr/include/mysql
MYSQL_LIBS => -L/usr/lib64 -lmysqlclient

Directive => Local Value => Master Value
mysql.allow_persistent => On => On
mysql.connect_timeout => 60 => 60
mysql.default_host => no value => no value
mysql.default_password => no value => no value
mysql.default_port => no value => no value
mysql.default_socket => no value => no value
mysql.default_user => no value => no value
mysql.max_links => Unlimited => Unlimited
mysql.max_persistent => Unlimited => Unlimited
mysql.trace_mode => Off => Off

mysqli

MysqlI Support => enabled
Client API library version => 5.0.45
Client API header version => 5.0.45
MYSQLI_SOCKET => /var/lib/mysql/mysql.sock

Directive => Local Value => Master Value
mysqli.default_host => no value => no value
mysqli.default_port => 3306 => 3306
mysqli.default_pw => no value => no value
mysqli.default_socket => no value => no value
mysqli.default_user => no value => no value
mysqli.max_links => Unlimited => Unlimited
mysqli.reconnect => Off => Off

openssl

OpenSSL support => enabled
OpenSSL Version => OpenSSL 0.9.8b 04 May 2006

pcre

PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 7.6 2008-01-28

Directive => Local Value => Master Value
pcre.backtrack_limit => 100000 => 100000
pcre.recursion_limit => 100000 => 100000

PDO

PDO support => enabled
PDO drivers => sqlite, sqlite2, mysql

pdo_mysql

PDO Driver for MySQL, client library version => 5.0.45

pdo_sqlite

PDO Driver for SQLite 3.x => enabled
PECL Module version => (bundled) 1.0.1 $Id: pdo_sqlite.c,v 1.10.2.6.2.3 2007/12/31 07:20:10 sebastian Exp $
SQLite Library => 3.3.7

posix

Revision => $Revision: 1.70.2.3.2.18 $

pspell

PSpell Support => enabled

Reflection

Reflection => enabled
Version => $Id: php_reflection.c,v 1.164.2.33.2.50 2008/03/13 15:56:21 iliaa Exp $

session

Session Support => enabled
Registered save handlers => files user sqlite
Registered serializer handlers => php php_binary

Directive => Local Value => Master Value
session.auto_start => Off => Off
session.bug_compat_42 => On => On
session.bug_compat_warn => On => On
session.cache_expire => 180 => 180
session.cache_limiter => nocache => nocache
session.cookie_domain => no value => no value
session.cookie_httponly => Off => Off
session.cookie_lifetime => 0 => 0
session.cookie_path => / => /
session.cookie_secure => Off => Off
session.entropy_file => no value => no value
session.entropy_length => 0 => 0
session.gc_divisor => 100 => 100
session.gc_maxlifetime => 1440 => 1440
session.gc_probability => 1 => 1
session.hash_bits_per_character => 4 => 4
session.hash_function => 0 => 0
session.name => PHPSESSID => PHPSESSID
session.referer_check => no value => no value
session.save_handler => files => files
session.save_path => no value => no value
session.serialize_handler => php => php
session.use_cookies => On => On
session.use_only_cookies => Off => Off
session.use_trans_sid => 0 => 0

SimpleXML

Simplexml support => enabled
Revision => $Revision: 1.151.2.22.2.39 $
Schema support => enabled

sockets

Sockets Support => enabled

SourceGuardian

SourceGuardian Loader Support => enabled
SourceGuardian Loader Version => 7.0.1
SourceGuardian Loader Build Number => 0x0000000C

Directive => Local Value => Master Value
sourceguardian.restrict_unencoded => 0 => 0

SPL

SPL support => enabled
Interfaces => Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes => AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, DirectoryIterator, DomainException, EmptyIterator, FilterIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RegexIterator, RuntimeException, SimpleXMLIterator, SplFileInfo, SplFileObject, SplObjectStorage, SplTempFileObject, UnderflowException, UnexpectedValueException

SQLite

SQLite support => enabled
PECL Module version => 2.0-dev $Id: sqlite.c,v 1.166.2.13.2.10 2007/12/31 07:20:11 sebastian Exp $
SQLite Library => 2.8.17
SQLite Encoding => iso8859

Directive => Local Value => Master Value
sqlite.assoc_case => 0 => 0

standard

Regex Library => Bundled library enabled
Dynamic Library Support => enabled
Path to sendmail => /usr/sbin/sendmail -t -i

Directive => Local Value => Master Value
assert.active => 1 => 1
assert.bail => 0 => 0
assert.callback => no value => no value
assert.quiet_eval => 0 => 0
assert.warning => 1 => 1
auto_detect_line_endings => 0 => 0
default_socket_timeout => 60 => 60
safe_mode_allowed_env_vars => PHP_ => PHP_
safe_mode_protected_env_vars => LD_LIBRARY_PATH => LD_LIBRARY_PATH
url_rewriter.tags => a=href,area=href,frame=src,input=src,form=,fieldset= => a=href,area=href,frame=src,input=src,form=,fieldset=
user_agent => no value => no value

suhosin


This server is protected with the Suhosin Extension 0.9.23

Copyright (c) 2006-2007 Hardened-PHP Project
Copyright (c) 2007 SektionEins GmbH

Directive => Local Value => Master Value
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
suhosin.coredump => Off => Off
suhosin.disable.display_errors => Off => Off
suhosin.executor.allow_symlink => Off => Off
suhosin.executor.disable_emodifier => Off => Off
suhosin.executor.disable_eval => Off => Off
suhosin.executor.eval.blacklist => no value => no value
suhosin.executor.eval.whitelist => no value => no value
suhosin.executor.func.blacklist => no value => no value
suhosin.executor.func.whitelist => no value => no value
suhosin.executor.include.blacklist => no value => no value
suhosin.executor.include.max_traversal => 0 => 0
suhosin.executor.include.whitelist => no value => no value
suhosin.executor.max_depth => 0 => 0
suhosin.filter.action => no value => no value
suhosin.get.disallow_nul => 1 => 1
suhosin.get.disallow_ws => 0 => 0
suhosin.get.max_array_depth => 50 => 50
suhosin.get.max_array_index_length => 64 => 64
suhosin.get.max_name_length => 64 => 64
suhosin.get.max_totalname_length => 256 => 256
suhosin.get.max_value_length => 512 => 512
suhosin.get.max_vars => 100 => 100
suhosin.log.file => 0 => 0
suhosin.log.file.name => no value => no value
suhosin.log.phpscript => 0 => 0
suhosin.log.phpscript.is_safe => Off => Off
suhosin.log.phpscript.name => no value => no value
suhosin.log.sapi => 0 => 0
suhosin.log.script => 0 => 0
suhosin.log.script.name => no value => no value
suhosin.log.syslog => no value => no value
suhosin.log.syslog.facility => no value => no value
suhosin.log.syslog.priority => no value => no value
suhosin.log.use-x-forwarded-for => Off => Off
suhosin.mail.protect => 0 => 0
suhosin.memory_limit => 0 => 0
suhosin.multiheader => Off => Off
suhosin.perdir => 0 => 0
suhosin.post.disallow_nul => 1 => 1
suhosin.post.disallow_ws => 0 => 0
suhosin.post.max_array_depth => 50 => 50
suhosin.post.max_array_index_length => 64 => 64
suhosin.post.max_name_length => 64 => 64
suhosin.post.max_totalname_length => 256 => 256
suhosin.post.max_value_length => 65000 => 65000
suhosin.post.max_vars => 200 => 200
suhosin.protectkey => On => On
suhosin.request.disallow_nul => 1 => 1
suhosin.request.disallow_ws => 0 => 0
suhosin.request.max_array_depth => 50 => 50
suhosin.request.max_array_index_length => 64 => 64
suhosin.request.max_totalname_length => 256 => 256
suhosin.request.max_value_length => 65000 => 65000
suhosin.request.max_varname_length => 64 => 64
suhosin.request.max_vars => 200 => 200
suhosin.server.encode => On => On
suhosin.server.strip => On => On
suhosin.session.checkraddr => 0 => 0
suhosin.session.cryptdocroot => On => On
suhosin.session.cryptkey => [ protected ] => [ protected ]
suhosin.session.cryptraddr => 0 => 0
suhosin.session.cryptua => On => On
suhosin.session.encrypt => On => On
suhosin.session.max_id_length => 128 => 128
suhosin.simulation => Off => Off
suhosin.sql.bailout_on_error => Off => Off
suhosin.sql.comment => 0 => 0
suhosin.sql.multiselect => 0 => 0
suhosin.sql.opencomment => 0 => 0
suhosin.sql.union => 0 => 0
suhosin.sql.user_postfix => no value => no value
suhosin.sql.user_prefix => no value => no value
suhosin.stealth => On => On
suhosin.upload.disallow_binary => 0 => 0
suhosin.upload.disallow_elf => 1 => 1
suhosin.upload.max_uploads => 25 => 25
suhosin.upload.remove_binary => 0 => 0
suhosin.upload.verification_script => no value => no value

tidy

Tidy support => enabled
libTidy Release => 6 November 2007
Extension Version => 2.0 ($Id: tidy.c,v 1.66.2.8.2.25 2007/12/31 07:20:14 sebastian Exp $)

Directive => Local Value => Master Value
tidy.clean_output => 0 => 0
tidy.default_config => no value => no value

tokenizer

Tokenizer Support => enabled

xml

XML Support => active
XML Namespace Support => active
EXPAT Version => expat_1.95.8

xmlreader

XMLReader => enabled

xmlrpc

core library version => xmlrpc-epi v. 0.51
php extension version => 0.51
author => Dan Libby
homepage => http://xmlrpc-epi.sourceforge.net
open sourced by => Epinions.com

xmlwriter

XMLWriter => enabled

xsl

XSL => enabled
libxslt Version => 1.1.23
libxslt compiled against libxml Version => 2.6.32
EXSLT => enabled
libexslt Version => 1.1.23

Zend Optimizer

Optimization Pass 1 => enabled
Optimization Pass 2 => enabled
Optimization Pass 3 => enabled
Optimization Pass 4 => enabled
Optimization Pass 9 => enabled
Zend Loader => enabled
License Path =>
Obfuscation level => 3

zip

Zip => enabled
Extension Version => $Id: php_zip.c,v 1.1.2.43 2008/01/18 00:51:38 pajoye Exp $
Zip version => 1.8.11
Libzip version => 0.8.0-compatible

zlib

ZLib Support => enabled
Stream Wrapper support => compress.zlib://
Stream Filter support => zlib.inflate, zlib.deflate
Compiled Version => 1.2.3
Linked Version => 1.2.3

Directive => Local Value => Master Value
zlib.output_compression => Off => Off
zlib.output_compression_level => -1 => -1
zlib.output_handler => no value => no value

Additional Modules

Module Name
dbase

Environment

Variable => Value
MANPATH => /usr/lib/courier-imap/man:
HOSTNAME => duck.unixbsd.info
SHELL => /usr/local/cpanel/bin/jailshell
TERM => xterm-color
HISTSIZE => 1000
SSH_CLIENT => la.la.la.la 62946 22
SSH_TTY => /dev/pts/2
USER => :D I don't think this is relevant at any point
LS_COLORS => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
PATH => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
MAIL => /var/spool/mail/:D my username, I don't want you to know this
PWD => /home/:D again my username/www/work
INPUTRC => /etc/inputrc
HOME => /home/I use this so you don't have to
SHLVL => 2
LOGNAME => Top secret that's me !
SSH_CONNECTION => fake.fake.fake.fake 62946 fake.fake.fake.fake
LESSOPEN => |/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES => 1
_ => /usr/local/bin/php
OLDPWD => /home/again my username/www

PHP Variables

Variable => Value
_SERVER["MANPATH"] => /usr/lib/courier-imap/man:
_SERVER["HOSTNAME"] => duck.unixbsd.info
_SERVER["SHELL"] => /usr/local/cpanel/bin/jailshell
_SERVER["TERM"] => xterm-color
_SERVER["HISTSIZE"] => 1000
_SERVER["SSH_CLIENT"] => fake.fake.fake.Ip 62946 22
_SERVER["SSH_TTY"] => /dev/pts/2
_SERVER["USER"] => it's my Mario
_SERVER["LS_COLORS"] => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_SERVER["PATH"] => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
_SERVER["MAIL"] => /var/spool/mail/who care about who I am
_SERVER["PWD"] => /home/my account/www/work
_SERVER["INPUTRC"] => /etc/inputrc
_SERVER["HOME"] => /home/my account also as a home directory
_SERVER["SHLVL"] => 2
_SERVER["LOGNAME"] => that's me again
_SERVER["SSH_CONNECTION"] => fake.fake.fake.fake 62946 fake.fake.fake.fake
_SERVER["LESSOPEN"] => |/usr/bin/lesspipe.sh %s
_SERVER["G_BROKEN_FILENAMES"] => 1
_SERVER["_"] => /usr/local/bin/php
_SERVER["OLDPWD"] => /home/blub blub blub was here/www
_SERVER["PHP_SELF"] => index.php
_SERVER["SCRIPT_NAME"] => index.php
_SERVER["SCRIPT_FILENAME"] => index.php
_SERVER["PATH_TRANSLATED"] => index.php
_SERVER["DOCUMENT_ROOT"] =>
_SERVER["REQUEST_TIME"] => 1211531140
_SERVER["argv"] => Array
(
[0] => index.php
)

_SERVER["argc"] => 1
_ENV["MANPATH"] => /usr/lib/courier-imap/man:
_ENV["HOSTNAME"] => duck.unixbsd.info
_ENV["SHELL"] => /usr/local/cpanel/bin/jailshell
_ENV["TERM"] => xterm-color
_ENV["HISTSIZE"] => 1000
_ENV["SSH_CLIENT"] => lA.la.la.la 62946 22
_ENV["SSH_TTY"] => /dev/pts/2
_ENV["USER"] => and again, it's me
_ENV["LS_COLORS"] => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_ENV["PATH"] => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
_ENV["MAIL"] => /var/spool/mail/my mail account I guess you know !
_ENV["PWD"] => /home/:D my user name :D/www/work
_ENV["INPUTRC"] => /etc/inputrc
_ENV["HOME"] => /home/:D my user name :D
_ENV["SHLVL"] => 2
_ENV["LOGNAME"] => :D I'm not that stupide :D
_ENV["SSH_CONNECTION"] => fake.fake.fake.fake 62946 fake.fake.fake.fake
_ENV["LESSOPEN"] => |/usr/bin/lesspipe.sh %s
_ENV["G_BROKEN_FILENAMES"] => 1
_ENV["_"] => /usr/local/bin/php
_ENV["OLDPWD"] => /home/:D my user name :D/www



Last edited by Snoop1990 on Fri May 23, 2008 8:45 am; edited 1 time in total
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 8:43 am Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




I did some changes of course, removed my name with in the hole text and removed the IP addresses ...

I guess the most beautiful is the build date Very Happy

Code:
Build Date => May 22 2008 23:51:27


So I guess they have bought a new server ...
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 10:47 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




OK, next test:

Code:

<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);

echo file_get_contents('/etc/master.passwd');
echo "\n";
echo system('ls -al');
echo "\n";
echo system('ls -al /etc');
echo "\n";
echo system('pwd');
echo "\n";
echo posix_getuid();
echo "\n";
var_dump(posix_uname());
echo "\n";
var_dump($GLOBALS);
echo "\n";
?>
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 23, 2008 11:14 am Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Ok, I did it (and again extracted my username as well as my IP) the hole script was executed through ssh cause I do not have http access at the moment.


Code:

Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory

Warning: file_get_contents(/etc/master.passwd): failed to open stream: No such file or directory in /home/<my username is "xxxxx">/public_html/work/2.php on line 6

total 20
drwxr-xr-x 2 <my username is "xxxxx"> <my username is "xxxxx"> 4096 May 23 04:08 .
drwxr-x--- 14 <my username is "xxxxx"> nobody 4096 May 23 03:12 ..
-rw-r--r-- 1 <my username is "xxxxx"> <my username is "xxxxx"> 4096 May 23 04:08 ._2.php
-rw-r--r-- 1 <my username is "xxxxx"> <my username is "xxxxx"> 372 May 23 04:08 2.php
-rwxr-xr-x 1 <my username is "xxxxx"> <my username is "xxxxx"> 20 May 23 01:19 index.php
-rwxr-xr-x 1 <my username is "xxxxx"> <my username is "xxxxx"> 20 May 23 01:19 index.php
total 1576
drwxr-xr-x 4 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
-rw-r--r-- 1 root root 2518 Mar 21 2007 DIR_COLORS
-rw-r--r-- 1 root root 2342 May 22 18:33 aliases
-rw-r--r-- 1 root root 10634 Sep 2 2007 antivirus.exim
-rw-rw---- 1 root mail 0 May 22 18:23 backupmxhosts
-rw-r--r-- 1 root root 1469 May 22 18:22 bashrc
-rw-r--r-- 1 root root 10992 May 23 00:52 cpanel_exim_system_filter
-rw-r--r-- 1 root root 7 May 22 18:31 cron.deny
-rw-r--r-- 1 root root 0 May 23 01:03 demouids
-rw-rw---- 1 root mail 0 May 23 01:03 domainusers
-rw-r--r-- 1 root root 41735 May 23 00:52 exim.conf
-rw-r--r-- 1 root root 24837 May 23 00:13 exim.pl
-rwxr-xr-x 1 root root 23178 May 23 00:52 exim.pl.local
-rw-r--r-- 1 root root 10 May 23 00:13 eximpopbeforesmtpwarning
-rw-r--r-- 1 root root 735 May 23 04:07 group
-rw-r--r-- 1 root root 17 Jul 23 2000 host.conf
-rw-r--r-- 1 root root 758 Sep 22 2004 inputrc
-rw-r--r-- 1 root root 42153 May 22 20:24 ld.so.cache
-rw-r--r-- 1 root root 28 Oct 8 2006 ld.so.conf
-rw-r--r-- 1 root root 0 Sep 2 2007 localaliases
-rw-r--r-- 1 root root 18 May 23 00:16 localdomains
-rw-r--r-- 1 root root 2819 May 22 17:56 localtime
-rw-r--r-- 1 root root 140192 Jan 6 2007 lynx.cfg
-rw-r--r-- 1 root root 4617 Jan 6 2007 man.config
-rw-r--r-- 1 root root 952 May 23 00:16 mtab
-rw-r--r-- 1 root root 1492 May 23 00:13 my.cnf
-rw-r--r-- 1 root root 1696 Sep 22 2004 nsswitch.conf
drwxr-xr-x 2 root root 4096 May 23 00:16 pam.d
-rw-r--r-- 1 root root 1951 May 23 04:07 passwd
-rw-r--r-- 1 root root 937 Jan 31 2006 profile
drwxr-xr-x 2 root root 4096 May 23 00:16 profile.d
-rw-r--r-- 1 root root 6108 Oct 11 2006 protocols
-rw-r--r-- 1 root root 0 May 23 04:05 relayhosts
-rw-r--r-- 1 root root 91 May 22 21:01 resolv.conf
-rw-rw---- 1 root mail 0 May 23 00:13 secondarymx
-rw-rw---- 1 root mail 0 May 22 18:23 senderverifybypasshosts
-rw-r--r-- 1 root root 362031 Feb 23 2006 services
-r-------- 1 root root 72 May 23 01:33 shadow
-rw-rw---- 1 root mail 0 May 22 18:23 skipsmtpcheckhosts
-rw-rw---- 1 root mail 0 May 22 18:23 spammeripblocks
-r--r----- 1 root root 3186 Jan 6 2007 sudoers
-rw-r--r-- 1 root root 807103 Jan 6 2007 termcap
-rw-rw---- 1 root mail 0 May 22 18:23 trustedmailhosts
-rw-rw---- 1 root mail 10 May 23 01:03 userdomains
-rw-rw---- 1 root mail 10 May 23 01:03 userdomains
/home/<my username is "xxxxx">/public_html/work
/home/<my username is "xxxxx">/public_html/work
43516
array(5) {
["sysname"]=>
string(5) "Linux"
["nodename"]=>
string(17) "duck.unixbsd.info"
["release"]=>
string(18) "2.6.18-53.1.21.el5"
["version"]=>
string(35) "#1 SMP Tue May 20 09:35:07 EDT 2008"
["machine"]=>
string(6) "x86_64"
}

array(16) {
["GLOBALS"]=>
array(16) {
["GLOBALS"]=>
*RECURSION*
["_ENV"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["HTTP_ENV_VARS"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
["_POST"]=>
array(0) {
}
["HTTP_POST_VARS"]=>
array(0) {
}
["_GET"]=>
array(0) {
}
["HTTP_GET_VARS"]=>
array(0) {
}
["_COOKIE"]=>
array(0) {
}
["HTTP_COOKIE_VARS"]=>
array(0) {
}
["_SERVER"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["HTTP_SERVER_VARS"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["_FILES"]=>
array(0) {
}
["HTTP_POST_FILES"]=>
array(0) {
}
["_REQUEST"]=>
array(0) {
}
}
["_ENV"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["HTTP_ENV_VARS"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
["_POST"]=>
array(0) {
}
["HTTP_POST_VARS"]=>
array(0) {
}
["_GET"]=>
array(0) {
}
["HTTP_GET_VARS"]=>
array(0) {
}
["_COOKIE"]=>
array(0) {
}
["HTTP_COOKIE_VARS"]=>
array(0) {
}
["_SERVER"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["HTTP_SERVER_VARS"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["_FILES"]=>
array(0) {
}
["HTTP_POST_FILES"]=>
array(0) {
}
["_REQUEST"]=>
array(0) {
}
}



It all looks quiet interesting, but can you tell me what to look for ? so I can do it on my own the next time (on another server). I don't want to end up like one of those script kids I want to understand what I am doing. My aim is to fix the holes, but to fix them I first need to find them ...
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 11:27 am Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Ok, it seems like I am going to understand some parts, you search for a password Very Happy but there is no password file in the public_html directory. The interesing files are in /home/<username>/ instead of /home/<username>/public_html ... but if I try to open the .htpasswds I only get an empty vi (text editor). If I open the ".lastlogin" file there is my Ip in it, that seems to be corret, then I have a .bash_history file which is also easy to guess and an .bash_profile file, but I am not sure if this is integrated, cause I am no sure if I already have the option to have such a file in my home directory, on the old server I had, but I am not sure if it is the same, cause all data was deleted and as you see the php was set up yesterday. So I guess I do not have access to .bash_profile at the moment (or it is not integrated). By the way my django (python) project also sucks and complains about errors which as far as I understand also depend on this file. I contacted the support but I guess that takes some time like it always does. By the way the cpanel access is also still missing, only ssh on my side. no cpanel no http Very Happy

Regrades Snoop1990
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 11:46 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




"Ok, it seems like I am going to understand some parts, you search for a password" - no, not at all! I am just showing, how to "test boundaries" of your presence in that server. Master.password does not contain passswords, they are in master.shadow (hashes of course, not plaintext).
Right now it seems like kind of *bsd jailing. Try to get some shell feedback via php, previous test got no results.
Try this:

Code:

<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);

echo "\n-------------------------\n";
passthru('echo test123');
echo "\n-------------------------\n";
passthru('pwd');
echo "\n-------------------------\n";
passthru('cd ..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('date');
echo "\n-------------------------\n";
?>
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 23, 2008 12:09 pm Reply with quote
Snoop1990
Advanced user
Advanced user
Joined: May 22, 2008
Posts: 65




Code:
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory

-------------------------
test123

-------------------------
/home/fakeuser/public_html/work

-------------------------
/home/fakeuser/public_html
total 156
drwxr-x--- 14 fakeuser nobody 4096 May 23 03:12 .
drwxr-xr-x 12 fakeuser fakeuser 4096 May 23 04:17 ..
-rw-r--r-- 1 fakeuser fakeuser 562 Apr 1 06:43 .htaccess
drwxr-xr-x 2 fakeuser fakeuser 4096 Feb 2 00:48 _private
drwxr-xr-x 4 fakeuser fakeuser 4096 Feb 2 00:48 _vti_bin
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_cnf
-rw-r--r-- 1 fakeuser fakeuser 1754 Feb 2 00:48 _vti_inf.html
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_log
drwxr-x--- 2 fakeuser nobody 4096 Dec 27 21:32 _vti_pvt
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_txt
drwxr-xr-x 6 fakeuser fakeuser 4096 Apr 1 06:32 admin_media
drwxr-xr-x 2 fakeuser fakeuser 4096 Jan 15 10:26 cgi-bin
-rwxr-xr-x 1 fakeuser fakeuser 309 Apr 1 06:32 dispatch.fcgi
-rwxr-xr-x 1 fakeuser fakeuser 44113 Apr 1 06:32 fcgi.py
-rw-r--r-- 1 fakeuser fakeuser 38981 May 23 03:12 fcgi.pyc
drwxr-xr-x 2 fakeuser fakeuser 4096 Jan 4 03:14 images
drwxr-xr-x 4 fakeuser fakeuser 4096 Apr 1 06:32 media
-rw-r--r-- 1 fakeuser fakeuser 2453 Dec 27 21:32 postinfo.html
drwxr-xr-x 14 fakeuser fakeuser 4096 Mar 10 16:42 rails
drwxr-xr-x 2 fakeuser fakeuser 4096 May 23 04:53 work

-------------------------
Fri May 23 04:54:17 PDT 2008

-------------------------


Ok here we go. I again replaced my user name, this time it is fakeuser.
To answer some questions about the files and folders you might have.

_private, _vti_bin, _vti_cnf, vti_inf.html, _vti_log, _vti_pvt, _vti_txt and postinfo.html are files my host stores on this space, as far as I know they contain something that belongs to frontpage (Microsoft) but I am not sure about this, I don't use them.

admin_media, dispatch.fcgi, fcgi.py, fcgi.pyc and media are parts of my django (python) webdevelopment project. They belong to project files which are stored in /home/username/django/ . The rails folder contains one ruby on rails project I did, a small blog, but it was not really fast although I used fcgi.

work is the folder I use for this project, it contains the snippets you gave me.

images and cgi-bin are empty folders (as far as I know), I do not need them but since they are on there by default I left them. (by the way i activated cgi and fcgi in the hole public_html folder, via .htaccess.

About the jailshell, you are right each time I login first a jailshell starts, I then type bash to get my bash shell but I think it is blocked as well.
View user's profile Send private message Visit poster's website
PostPosted: Fri May 23, 2008 12:16 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




ok, digg deeper:

Code:

<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);

echo "\n-------------------------\n";
passthru('cd ../..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('cd ../../..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('cd ../../../..;pwd;ls -al;');
echo "\n-------------------------\n";
var_dump(posix_getpwuid(posix_geteuid());
echo "\n-------------------------\n";
?>


Last edited by waraxe on Fri May 23, 2008 12:55 pm; edited 2 times in total
View user's profile Send private message Send e-mail Visit poster's website
A few questions ...
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.052 Seconds