 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 647
 Members: 0
 Total: 647
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
A few questions ... |
|
 Posted: Thu May 22, 2008 9:08 pm |
 |
|
| Snoop1990 |
| Advanced user |
 |
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
 |
|
 |
|
Hey,
I have a webside at profusehost.net (an free US Webhost, which is down at the moment cause of server issue (not my fault) ). Now I read several things about neighbor hacks and my question is how secure are my files ? Is it possible to get from one account into another (sign up is free so everybody can become my neighbor)? I mean some people talked about that it is quite easy as soon as you are able to execute code there are nearly no limits, ture ? It really scares me to read all this so I hope somebody in here might answer my questions.
Ahhh and just some more. ...
As far as I am familiar with hacking (did some (very) small hacks in my early kids time) you bruteforce the password or have a list with possible passwords or both. Then you run this process through a list of proxies (tunnel it via the http port). This way the time you need to crack a 12 character password is limited. So each password is going to be cracked if you just have enough time. Now my question is how to setup a password that changes in time ? what I want is a script (for unix based operation systems) which generates a new password each 5 to 10 minutes. The new password should be created by using the actual time as public key and a secret password as private key. Now the person who wants to login needs a specific tool to create the right password (from his private key and the time) (standard RSA). The bad thing is, if the hacker however gets the tool, which is used to generate the keys, he will be able to enter. But 99.99% of all brute force attacks won't succeed.
So my first question to the second part is, is it possible ? and which operation system is best to use FreeBSD ? a Linux version (maybe build from scratch)? Maybe somebody already build a similar system ?
These are my first questions more to follow ...
Regrades Snoop1990 |
|
_________________
http://snoop1990.co.cc
"I don't hack, I only surf the web to search for security holes ! To prevent my clients and me from being hacked !" |
|
|
|
|
|
|
|
| Posted: Thu May 22, 2008 9:40 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
1. If you are hosting your website on shared server, then all depends on server admins professional level. It can be (almost) impossible to go from php level to opsystem shell (if safe_mode is on and security is tighten up) or even if shell access is possible, then cross-user file access can be prevented (suexec, etc). But i must say, that practically speaking most of the real world shared hosting servers are not secure enough against "cross-neighbour" attacks. So my suggestion is - try it out yourself and find out, how secure your hosting is.
2. You mean something like this?
http://en.wikipedia.org/wiki/One_time_password
But don't think, that online password bruteforce is so easy. No no no.
Even 6 chars long loweralpha is hard to crack via online bruteforce. And think about all the noise - thousands (or millions) log entries, IDS alerts, possible DoS conditions. And besides, usually there is some anti-brute-force solutions in place, which will lock out account or just slow down the auth proccess. And bruteforce via proxy or chain of proxies will be even slower. So if you have good password, then i dont think, that you should fear online bruteforce. Just avoid using same password in various places  |
|
|
|
|
|
|
|
|
| Posted: Thu May 22, 2008 9:50 pm |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
| waraxe wrote: | | So my suggestion is - try it out yourself and find out, how secure your hosting is. |
how to ? can you provide me some basic tutorial, so I can test my hosting service. (of course only on two accounts that both belong to me)
Yes, I just do not know the phrase to search for 
| waraxe wrote: |
... And bruteforce via proxy or chain of proxies will be even slower. ... |
This brings up another question, is it possible to be locked through and proxy ? I mean is it possible to resolve the hackers Ip behind the proxy ? |
|
|
|
|
|
|
|
|
| Posted: Thu May 22, 2008 10:03 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
There are various proxy-thingies: http proxies, socks, Tor (Onion Routing), bounchers, cgi-proxies, ...
Most common is http proxy. It can be non-anonymous (transparent), in this case proxy will emit X_FORWARDED_FOR or other http header and target server can "see", who is behind proxy. Next, there are truly anonymous proxies, and in this case hacking victim must contact with proxy owner and ask for logs. IF logs exist (there can be logging turned off, logs can be periodically deleted, hacker can delete logs and fromat HDD, etc) and IF proxy owner is willing to co-operate, then you can get one step closer to attacker. And if that ip address points to other proxy, then repeat this as many times as needed. Now think about proxy server in China or Somalia or Libya or in North Korea
Still, backtrace can be possible and all depends on power of the investigators. |
|
|
|
|
|
|
|
|
| Posted: Thu May 22, 2008 10:12 pm |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
| waraxe wrote: | And if that ip address points to other proxy, then repeat this as many times as needed. Now think about proxy server in China or Somalia or Libya or in North Korea
Still, backtrace can be possible and all depends on power of the investigators. |
So I guess such hackers are nearly impossible to get ... Maybe the FBI can but I cannot ...
The other thing is you suggested
| waraxe wrote: | | So my suggestion is - try it out yourself and find out, how secure your hosting is. |
So please give me some advice where to look for such information ... Thank you ! |
|
|
|
|
|
|
|
|
| Posted: Thu May 22, 2008 10:19 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
First:
| Code: |
<?php
phpinfo();
?>
|
This will show you lots of information about php configuration.
Look for "safe_mode", "disable_functions", "open_basedir", "log_errors", "upload_tmp_dir" and other settings.
If "safe_mode=Off", then let me know and i can suggest next tests. |
|
|
|
|
| Posted: Thu May 22, 2008 10:26 pm |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
| Ok, I am going to post the information as soon as the servers are back online. Thanks again. Regrades Snoop1990 |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 8:32 am |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
I did the phpinfo via bash, cause the http port is blocked (they still have to setup some things) ...
Here it is:
| Code: |
bash-3.1$ php index.php
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
phpinfo()
PHP Version => 5.2.6
System => Linux duck.unixbsd.info 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:35:07 EDT 2008 x86_64
Build Date => May 22 2008 23:51:27
Configure Command => './configure' '--enable-bcmath' '--enable-calendar' '--enable-dbase' '--enable-exif' '--enable-ftp' '--enable-gd-native-ttf' '--enable-libxml' '--enable-magic-quotes' '--enable-mbstring' '--enable-pdo=shared' '--enable-sockets' '--enable-zip' '--prefix=/usr/local' '--with-apxs=/usr/local/apache/bin/apxs' '--with-bz2' '--with-curl=/opt/curlssl/' '--with-curlwrappers' '--with-freetype-dir=/usr' '--with-gd' '--with-gettext' '--with-imap=/opt/php_with_imap_client/' '--with-imap-ssl=/usr' '--with-jpeg-dir=/usr' '--with-kerberos' '--with-libdir=lib64' '--with-libexpat-dir=/usr' '--with-libxml-dir=/opt/xml2/' '--with-mcrypt=/opt/libmcrypt/' '--with-mhash=/opt/mhash/' '--with-mysql=/usr' '--with-mysql-sock=/var/lib/mysql/mysql.sock' '--with-mysqli=/usr/bin/mysql_config' '--with-openssl=/usr' '--with-openssl-dir=/usr' '--with-pdo-mysql=shared' '--with-pdo-sqlite=shared' '--with-pic' '--with-png-dir=/usr' '--with-pspell' '--with-sqlite=shared' '--with-tidy=/opt/tidy/' '--with-ttf' '--with-xmlrpc' '--with-xpm-dir=/usr' '--with-xsl=/opt/xslt/' '--with-zlib' '--with-zlib-dir=/usr' '--without-iconv'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
PHP API => 20041225
PHP Extension => 20060613
Zend Extension => 220060519
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
IPv6 Support => enabled
Registered PHP Streams => zip, php, file, data, tftp, ftp, telnet, dict, http, https, ftps, compress.bzip2, compress.zlib
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters => string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, bzip2.*, zlib.*
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
with Suhosin v0.9.23, Copyright (c) 2007, by SektionEins GmbH
with Zend Optimizer v3.3.3, Copyright (c) 1998-2007, by Zend Technologies
_______________________________________________________________________
Configuration
PHP Core
Directive => Local Value => Master Value
allow_call_time_pass_reference => On => On
allow_url_fopen => On => On
allow_url_include => Off => Off
always_populate_raw_post_data => Off => Off
arg_separator.input => & => &
arg_separator.output => & => &
asp_tags => Off => Off
auto_append_file => no value => no value
auto_globals_jit => On => On
auto_prepend_file => no value => no value
browscap => no value => no value
default_charset => no value => no value
default_mimetype => text/html => text/html
define_syslog_variables => Off => Off
disable_classes => no value => no value
disable_functions => no value => no value
display_errors => STDOUT => STDOUT
display_startup_errors => Off => Off
doc_root => no value => no value
docref_ext => no value => no value
docref_root => no value => no value
enable_dl => On => On
error_append_string => no value => no value
error_log => error_log => error_log
error_prepend_string => no value => no value
error_reporting => 6135 => 6135
expose_php => On => On
extension_dir => /usr/local/lib/php/extensions/no-debug-non-zts-20060613 => /usr/local/lib/php/extensions/no-debug-non-zts-20060613
file_uploads => On => On
highlight.bg => <font style="color: #FFFFFF">#FFFFFF</font> => <font style="color: #FFFFFF">#FFFFFF</font>
highlight.comment => <font style="color: #FF8000">#FF8000</font> => <font style="color: #FF8000">#FF8000</font>
highlight.default => <font style="color: #0000BB">#0000BB</font> => <font style="color: #0000BB">#0000BB</font>
highlight.html => <font style="color: #000000">#000000</font> => <font style="color: #000000">#000000</font>
highlight.keyword => <font style="color: #007700">#007700</font> => <font style="color: #007700">#007700</font>
highlight.string => <font style="color: #DD0000">#DD0000</font> => <font style="color: #DD0000">#DD0000</font>
html_errors => Off => Off
ignore_repeated_errors => Off => Off
ignore_repeated_source => Off => Off
ignore_user_abort => Off => Off
implicit_flush => On => On
include_path => .:/usr/lib/php:/usr/local/lib/php => .:/usr/lib/php:/usr/local/lib/php
log_errors => On => On
log_errors_max_len => 1024 => 1024
magic_quotes_gpc => On => On
magic_quotes_runtime => Off => Off
magic_quotes_sybase => Off => Off
mail.force_extra_parameters => no value => no value
max_execution_time => 0 => 0
max_input_nesting_level => 64 => 64
max_input_time => -1 => -1
memory_limit => 32M => 32M
open_basedir => no value => no value
output_buffering => 0 => 0
output_handler => no value => no value
post_max_size => 8M => 8M
precision => 12 => 12
realpath_cache_size => 16K => 16K
realpath_cache_ttl => 120 => 120
register_argc_argv => On => On
register_globals => Off => Off
register_long_arrays => On => On
report_memleaks => On => On
report_zend_debug => Off => Off
safe_mode => Off => Off
safe_mode_exec_dir => no value => no value
safe_mode_gid => Off => Off
safe_mode_include_dir => no value => no value
sendmail_from => no value => no value
sendmail_path => /usr/sbin/sendmail -t -i => /usr/sbin/sendmail -t -i
serialize_precision => 100 => 100
short_open_tag => On => On
SMTP => localhost => localhost
smtp_port => 25 => 25
sql.safe_mode => Off => Off
track_errors => Off => Off
unserialize_callback_func => no value => no value
upload_max_filesize => 2M => 2M
upload_tmp_dir => no value => no value
user_dir => no value => no value
variables_order => EGPCS => EGPCS
xmlrpc_error_number => 0 => 0
xmlrpc_errors => Off => Off
y2k_compliance => On => On
zend.ze1_compatibility_mode => Off => Off
bcmath
BCMath support => enabled
bz2
BZip2 Support => Enabled
Stream Wrapper support => compress.bz2://
Stream Filter support => bzip2.decompress, bzip2.compress
BZip2 Version => 1.0.3, 15-Feb-2005
calendar
Calendar support => enabled
ctype
ctype functions => enabled
curl
cURL support => enabled
cURL Information => libcurl/7.18.1 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
date
date/time support => enabled
"Olson" Timezone Database Version => 2008.2
Timezone Database => internal
Default timezone => America/Los_Angeles
Directive => Local Value => Master Value
date.default_latitude => 31.7667 => 31.7667
date.default_longitude => 35.2333 => 35.2333
date.sunrise_zenith => 90.583333 => 90.583333
date.sunset_zenith => 90.583333 => 90.583333
date.timezone => no value => no value
dom
DOM/XML => enabled
DOM/XML API Version => 20031129
libxml Version => 2.6.32
HTML Support => enabled
XPath Support => enabled
XPointer Support => enabled
Schema Support => enabled
RelaxNG Support => enabled
exif
EXIF Support => enabled
EXIF Version => 1.4 $Id: exif.c,v 1.173.2.5.2.25 2008/03/12 17:33:14 iliaa Exp $
Supported EXIF Version => 0220
Supported filetypes => JPEG,TIFF
filter
Input Validation and Filtering => enabled
Revision => $Revision: 1.52.2.42 $
Directive => Local Value => Master Value
filter.default => unsafe_raw => unsafe_raw
filter.default_flags => no value => no value
ftp
FTP support => enabled
gd
GD Support => enabled
GD Version => bundled (2.0.34 compatible)
FreeType Support => enabled
FreeType Linkage => with freetype
FreeType Version => 2.2.1
GIF Read Support => enabled
GIF Create Support => enabled
JPG Support => enabled
PNG Support => enabled
WBMP Support => enabled
XPM Support => enabled
XBM Support => enabled
gettext
GetText Support => enabled
hash
hash support => enabled
Hashing Engines => md2 md4 md5 sha1 sha256 sha384 sha512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru gost adler32 crc32 crc32b haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
imap
IMAP c-Client Version => 2004
SSL Support => enabled
Kerberos Support => enabled
json
json support => enabled
json version => 1.2.1
libxml
libXML support => active
libXML Version => 2.6.32
libXML streams => enabled
mbstring
Multibyte Support => enabled
Multibyte string engine => libmbfl
Multibyte (japanese) regex support => enabled
Multibyte regex (oniguruma) version => 4.4.4
Multibyte regex (oniguruma) backtrack check => On
mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.
Directive => Local Value => Master Value
mbstring.detect_order => no value => no value
mbstring.encoding_translation => Off => Off
mbstring.func_overload => 0 => 0
mbstring.http_input => pass => pass
mbstring.http_output => pass => pass
mbstring.internal_encoding => ISO-8859-1 => no value
mbstring.language => neutral => neutral
mbstring.strict_detection => Off => Off
mbstring.substitute_character => no value => no value
mcrypt
mcrypt support => enabled
Version => 2.5.7
Api No => 20021217
Supported ciphers => cast-128 gost rijndael-128 twofish arcfour cast-256 loki97 rijndael-192 saferplus wake blowfish-compat des rijndael-256 serpent xtea blowfish enigma rc2 tripledes
Supported modes => cbc cfb ctr ecb ncfb nofb ofb stream
Directive => Local Value => Master Value
mcrypt.algorithms_dir => no value => no value
mcrypt.modes_dir => no value => no value
mhash
MHASH support => Enabled
MHASH API Version => 20060101
mysql
MySQL Support => enabled
Active Persistent Links => 0
Active Links => 0
Client API version => 5.0.45
MYSQL_MODULE_TYPE => external
MYSQL_SOCKET => /var/lib/mysql/mysql.sock
MYSQL_INCLUDE => -I/usr/include/mysql
MYSQL_LIBS => -L/usr/lib64 -lmysqlclient
Directive => Local Value => Master Value
mysql.allow_persistent => On => On
mysql.connect_timeout => 60 => 60
mysql.default_host => no value => no value
mysql.default_password => no value => no value
mysql.default_port => no value => no value
mysql.default_socket => no value => no value
mysql.default_user => no value => no value
mysql.max_links => Unlimited => Unlimited
mysql.max_persistent => Unlimited => Unlimited
mysql.trace_mode => Off => Off
mysqli
MysqlI Support => enabled
Client API library version => 5.0.45
Client API header version => 5.0.45
MYSQLI_SOCKET => /var/lib/mysql/mysql.sock
Directive => Local Value => Master Value
mysqli.default_host => no value => no value
mysqli.default_port => 3306 => 3306
mysqli.default_pw => no value => no value
mysqli.default_socket => no value => no value
mysqli.default_user => no value => no value
mysqli.max_links => Unlimited => Unlimited
mysqli.reconnect => Off => Off
openssl
OpenSSL support => enabled
OpenSSL Version => OpenSSL 0.9.8b 04 May 2006
pcre
PCRE (Perl Compatible Regular Expressions) Support => enabled
PCRE Library Version => 7.6 2008-01-28
Directive => Local Value => Master Value
pcre.backtrack_limit => 100000 => 100000
pcre.recursion_limit => 100000 => 100000
PDO
PDO support => enabled
PDO drivers => sqlite, sqlite2, mysql
pdo_mysql
PDO Driver for MySQL, client library version => 5.0.45
pdo_sqlite
PDO Driver for SQLite 3.x => enabled
PECL Module version => (bundled) 1.0.1 $Id: pdo_sqlite.c,v 1.10.2.6.2.3 2007/12/31 07:20:10 sebastian Exp $
SQLite Library => 3.3.7
posix
Revision => $Revision: 1.70.2.3.2.18 $
pspell
PSpell Support => enabled
Reflection
Reflection => enabled
Version => $Id: php_reflection.c,v 1.164.2.33.2.50 2008/03/13 15:56:21 iliaa Exp $
session
Session Support => enabled
Registered save handlers => files user sqlite
Registered serializer handlers => php php_binary
Directive => Local Value => Master Value
session.auto_start => Off => Off
session.bug_compat_42 => On => On
session.bug_compat_warn => On => On
session.cache_expire => 180 => 180
session.cache_limiter => nocache => nocache
session.cookie_domain => no value => no value
session.cookie_httponly => Off => Off
session.cookie_lifetime => 0 => 0
session.cookie_path => / => /
session.cookie_secure => Off => Off
session.entropy_file => no value => no value
session.entropy_length => 0 => 0
session.gc_divisor => 100 => 100
session.gc_maxlifetime => 1440 => 1440
session.gc_probability => 1 => 1
session.hash_bits_per_character => 4 => 4
session.hash_function => 0 => 0
session.name => PHPSESSID => PHPSESSID
session.referer_check => no value => no value
session.save_handler => files => files
session.save_path => no value => no value
session.serialize_handler => php => php
session.use_cookies => On => On
session.use_only_cookies => Off => Off
session.use_trans_sid => 0 => 0
SimpleXML
Simplexml support => enabled
Revision => $Revision: 1.151.2.22.2.39 $
Schema support => enabled
sockets
Sockets Support => enabled
SourceGuardian
SourceGuardian Loader Support => enabled
SourceGuardian Loader Version => 7.0.1
SourceGuardian Loader Build Number => 0x0000000C
Directive => Local Value => Master Value
sourceguardian.restrict_unencoded => 0 => 0
SPL
SPL support => enabled
Interfaces => Countable, OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject
Classes => AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, DirectoryIterator, DomainException, EmptyIterator, FilterIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RegexIterator, RuntimeException, SimpleXMLIterator, SplFileInfo, SplFileObject, SplObjectStorage, SplTempFileObject, UnderflowException, UnexpectedValueException
SQLite
SQLite support => enabled
PECL Module version => 2.0-dev $Id: sqlite.c,v 1.166.2.13.2.10 2007/12/31 07:20:11 sebastian Exp $
SQLite Library => 2.8.17
SQLite Encoding => iso8859
Directive => Local Value => Master Value
sqlite.assoc_case => 0 => 0
standard
Regex Library => Bundled library enabled
Dynamic Library Support => enabled
Path to sendmail => /usr/sbin/sendmail -t -i
Directive => Local Value => Master Value
assert.active => 1 => 1
assert.bail => 0 => 0
assert.callback => no value => no value
assert.quiet_eval => 0 => 0
assert.warning => 1 => 1
auto_detect_line_endings => 0 => 0
default_socket_timeout => 60 => 60
safe_mode_allowed_env_vars => PHP_ => PHP_
safe_mode_protected_env_vars => LD_LIBRARY_PATH => LD_LIBRARY_PATH
url_rewriter.tags => a=href,area=href,frame=src,input=src,form=,fieldset= => a=href,area=href,frame=src,input=src,form=,fieldset=
user_agent => no value => no value
suhosin
This server is protected with the Suhosin Extension 0.9.23
Copyright (c) 2006-2007 Hardened-PHP Project
Copyright (c) 2007 SektionEins GmbH
Directive => Local Value => Master Value
suhosin.apc_bug_workaround => Off => Off
suhosin.cookie.checkraddr => 0 => 0
suhosin.cookie.cryptdocroot => On => On
suhosin.cookie.cryptkey => [ protected ] => [ protected ]
suhosin.cookie.cryptlist => no value => no value
suhosin.cookie.cryptraddr => 0 => 0
suhosin.cookie.cryptua => On => On
suhosin.cookie.disallow_nul => 1 => 1
suhosin.cookie.disallow_ws => 1 => 1
suhosin.cookie.encrypt => Off => Off
suhosin.cookie.max_array_depth => 50 => 50
suhosin.cookie.max_array_index_length => 64 => 64
suhosin.cookie.max_name_length => 64 => 64
suhosin.cookie.max_totalname_length => 256 => 256
suhosin.cookie.max_value_length => 10000 => 10000
suhosin.cookie.max_vars => 100 => 100
suhosin.cookie.plainlist => no value => no value
suhosin.coredump => Off => Off
suhosin.disable.display_errors => Off => Off
suhosin.executor.allow_symlink => Off => Off
suhosin.executor.disable_emodifier => Off => Off
suhosin.executor.disable_eval => Off => Off
suhosin.executor.eval.blacklist => no value => no value
suhosin.executor.eval.whitelist => no value => no value
suhosin.executor.func.blacklist => no value => no value
suhosin.executor.func.whitelist => no value => no value
suhosin.executor.include.blacklist => no value => no value
suhosin.executor.include.max_traversal => 0 => 0
suhosin.executor.include.whitelist => no value => no value
suhosin.executor.max_depth => 0 => 0
suhosin.filter.action => no value => no value
suhosin.get.disallow_nul => 1 => 1
suhosin.get.disallow_ws => 0 => 0
suhosin.get.max_array_depth => 50 => 50
suhosin.get.max_array_index_length => 64 => 64
suhosin.get.max_name_length => 64 => 64
suhosin.get.max_totalname_length => 256 => 256
suhosin.get.max_value_length => 512 => 512
suhosin.get.max_vars => 100 => 100
suhosin.log.file => 0 => 0
suhosin.log.file.name => no value => no value
suhosin.log.phpscript => 0 => 0
suhosin.log.phpscript.is_safe => Off => Off
suhosin.log.phpscript.name => no value => no value
suhosin.log.sapi => 0 => 0
suhosin.log.script => 0 => 0
suhosin.log.script.name => no value => no value
suhosin.log.syslog => no value => no value
suhosin.log.syslog.facility => no value => no value
suhosin.log.syslog.priority => no value => no value
suhosin.log.use-x-forwarded-for => Off => Off
suhosin.mail.protect => 0 => 0
suhosin.memory_limit => 0 => 0
suhosin.multiheader => Off => Off
suhosin.perdir => 0 => 0
suhosin.post.disallow_nul => 1 => 1
suhosin.post.disallow_ws => 0 => 0
suhosin.post.max_array_depth => 50 => 50
suhosin.post.max_array_index_length => 64 => 64
suhosin.post.max_name_length => 64 => 64
suhosin.post.max_totalname_length => 256 => 256
suhosin.post.max_value_length => 65000 => 65000
suhosin.post.max_vars => 200 => 200
suhosin.protectkey => On => On
suhosin.request.disallow_nul => 1 => 1
suhosin.request.disallow_ws => 0 => 0
suhosin.request.max_array_depth => 50 => 50
suhosin.request.max_array_index_length => 64 => 64
suhosin.request.max_totalname_length => 256 => 256
suhosin.request.max_value_length => 65000 => 65000
suhosin.request.max_varname_length => 64 => 64
suhosin.request.max_vars => 200 => 200
suhosin.server.encode => On => On
suhosin.server.strip => On => On
suhosin.session.checkraddr => 0 => 0
suhosin.session.cryptdocroot => On => On
suhosin.session.cryptkey => [ protected ] => [ protected ]
suhosin.session.cryptraddr => 0 => 0
suhosin.session.cryptua => On => On
suhosin.session.encrypt => On => On
suhosin.session.max_id_length => 128 => 128
suhosin.simulation => Off => Off
suhosin.sql.bailout_on_error => Off => Off
suhosin.sql.comment => 0 => 0
suhosin.sql.multiselect => 0 => 0
suhosin.sql.opencomment => 0 => 0
suhosin.sql.union => 0 => 0
suhosin.sql.user_postfix => no value => no value
suhosin.sql.user_prefix => no value => no value
suhosin.stealth => On => On
suhosin.upload.disallow_binary => 0 => 0
suhosin.upload.disallow_elf => 1 => 1
suhosin.upload.max_uploads => 25 => 25
suhosin.upload.remove_binary => 0 => 0
suhosin.upload.verification_script => no value => no value
tidy
Tidy support => enabled
libTidy Release => 6 November 2007
Extension Version => 2.0 ($Id: tidy.c,v 1.66.2.8.2.25 2007/12/31 07:20:14 sebastian Exp $)
Directive => Local Value => Master Value
tidy.clean_output => 0 => 0
tidy.default_config => no value => no value
tokenizer
Tokenizer Support => enabled
xml
XML Support => active
XML Namespace Support => active
EXPAT Version => expat_1.95.8
xmlreader
XMLReader => enabled
xmlrpc
core library version => xmlrpc-epi v. 0.51
php extension version => 0.51
author => Dan Libby
homepage => http://xmlrpc-epi.sourceforge.net
open sourced by => Epinions.com
xmlwriter
XMLWriter => enabled
xsl
XSL => enabled
libxslt Version => 1.1.23
libxslt compiled against libxml Version => 2.6.32
EXSLT => enabled
libexslt Version => 1.1.23
Zend Optimizer
Optimization Pass 1 => enabled
Optimization Pass 2 => enabled
Optimization Pass 3 => enabled
Optimization Pass 4 => enabled
Optimization Pass 9 => enabled
Zend Loader => enabled
License Path =>
Obfuscation level => 3
zip
Zip => enabled
Extension Version => $Id: php_zip.c,v 1.1.2.43 2008/01/18 00:51:38 pajoye Exp $
Zip version => 1.8.11
Libzip version => 0.8.0-compatible
zlib
ZLib Support => enabled
Stream Wrapper support => compress.zlib://
Stream Filter support => zlib.inflate, zlib.deflate
Compiled Version => 1.2.3
Linked Version => 1.2.3
Directive => Local Value => Master Value
zlib.output_compression => Off => Off
zlib.output_compression_level => -1 => -1
zlib.output_handler => no value => no value
Additional Modules
Module Name
dbase
Environment
Variable => Value
MANPATH => /usr/lib/courier-imap/man:
HOSTNAME => duck.unixbsd.info
SHELL => /usr/local/cpanel/bin/jailshell
TERM => xterm-color
HISTSIZE => 1000
SSH_CLIENT => la.la.la.la 62946 22
SSH_TTY => /dev/pts/2
USER => :D I don't think this is relevant at any point
LS_COLORS => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
PATH => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
MAIL => /var/spool/mail/:D my username, I don't want you to know this
PWD => /home/:D again my username/www/work
INPUTRC => /etc/inputrc
HOME => /home/I use this so you don't have to
SHLVL => 2
LOGNAME => Top secret that's me !
SSH_CONNECTION => fake.fake.fake.fake 62946 fake.fake.fake.fake
LESSOPEN => |/usr/bin/lesspipe.sh %s
G_BROKEN_FILENAMES => 1
_ => /usr/local/bin/php
OLDPWD => /home/again my username/www
PHP Variables
Variable => Value
_SERVER["MANPATH"] => /usr/lib/courier-imap/man:
_SERVER["HOSTNAME"] => duck.unixbsd.info
_SERVER["SHELL"] => /usr/local/cpanel/bin/jailshell
_SERVER["TERM"] => xterm-color
_SERVER["HISTSIZE"] => 1000
_SERVER["SSH_CLIENT"] => fake.fake.fake.Ip 62946 22
_SERVER["SSH_TTY"] => /dev/pts/2
_SERVER["USER"] => it's my Mario
_SERVER["LS_COLORS"] => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_SERVER["PATH"] => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
_SERVER["MAIL"] => /var/spool/mail/who care about who I am
_SERVER["PWD"] => /home/my account/www/work
_SERVER["INPUTRC"] => /etc/inputrc
_SERVER["HOME"] => /home/my account also as a home directory
_SERVER["SHLVL"] => 2
_SERVER["LOGNAME"] => that's me again
_SERVER["SSH_CONNECTION"] => fake.fake.fake.fake 62946 fake.fake.fake.fake
_SERVER["LESSOPEN"] => |/usr/bin/lesspipe.sh %s
_SERVER["G_BROKEN_FILENAMES"] => 1
_SERVER["_"] => /usr/local/bin/php
_SERVER["OLDPWD"] => /home/blub blub blub was here/www
_SERVER["PHP_SELF"] => index.php
_SERVER["SCRIPT_NAME"] => index.php
_SERVER["SCRIPT_FILENAME"] => index.php
_SERVER["PATH_TRANSLATED"] => index.php
_SERVER["DOCUMENT_ROOT"] =>
_SERVER["REQUEST_TIME"] => 1211531140
_SERVER["argv"] => Array
(
[0] => index.php
)
_SERVER["argc"] => 1
_ENV["MANPATH"] => /usr/lib/courier-imap/man:
_ENV["HOSTNAME"] => duck.unixbsd.info
_ENV["SHELL"] => /usr/local/cpanel/bin/jailshell
_ENV["TERM"] => xterm-color
_ENV["HISTSIZE"] => 1000
_ENV["SSH_CLIENT"] => lA.la.la.la 62946 22
_ENV["SSH_TTY"] => /dev/pts/2
_ENV["USER"] => and again, it's me
_ENV["LS_COLORS"] => no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
_ENV["PATH"] => /usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin
_ENV["MAIL"] => /var/spool/mail/my mail account I guess you know !
_ENV["PWD"] => /home/:D my user name :D/www/work
_ENV["INPUTRC"] => /etc/inputrc
_ENV["HOME"] => /home/:D my user name :D
_ENV["SHLVL"] => 2
_ENV["LOGNAME"] => :D I'm not that stupide :D
_ENV["SSH_CONNECTION"] => fake.fake.fake.fake 62946 fake.fake.fake.fake
_ENV["LESSOPEN"] => |/usr/bin/lesspipe.sh %s
_ENV["G_BROKEN_FILENAMES"] => 1
_ENV["_"] => /usr/local/bin/php
_ENV["OLDPWD"] => /home/:D my user name :D/www
|
|
|
Last edited by Snoop1990 on Fri May 23, 2008 8:45 am; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 8:43 am |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
I did some changes of course, removed my name with in the hole text and removed the IP addresses ...
I guess the most beautiful is the build date 
| Code: | | Build Date => May 22 2008 23:51:27 |
So I guess they have bought a new server ... |
|
|
|
|
| Posted: Fri May 23, 2008 10:47 am |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
OK, next test:
| Code: |
<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);
echo file_get_contents('/etc/master.passwd');
echo "\n";
echo system('ls -al');
echo "\n";
echo system('ls -al /etc');
echo "\n";
echo system('pwd');
echo "\n";
echo posix_getuid();
echo "\n";
var_dump(posix_uname());
echo "\n";
var_dump($GLOBALS);
echo "\n";
?>
|
|
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 11:14 am |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
Ok, I did it (and again extracted my username as well as my IP) the hole script was executed through ssh cause I do not have http access at the moment.
| Code: |
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
Warning: file_get_contents(/etc/master.passwd): failed to open stream: No such file or directory in /home/<my username is "xxxxx">/public_html/work/2.php on line 6
total 20
drwxr-xr-x 2 <my username is "xxxxx"> <my username is "xxxxx"> 4096 May 23 04:08 .
drwxr-x--- 14 <my username is "xxxxx"> nobody 4096 May 23 03:12 ..
-rw-r--r-- 1 <my username is "xxxxx"> <my username is "xxxxx"> 4096 May 23 04:08 ._2.php
-rw-r--r-- 1 <my username is "xxxxx"> <my username is "xxxxx"> 372 May 23 04:08 2.php
-rwxr-xr-x 1 <my username is "xxxxx"> <my username is "xxxxx"> 20 May 23 01:19 index.php
-rwxr-xr-x 1 <my username is "xxxxx"> <my username is "xxxxx"> 20 May 23 01:19 index.php
total 1576
drwxr-xr-x 4 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
-rw-r--r-- 1 root root 2518 Mar 21 2007 DIR_COLORS
-rw-r--r-- 1 root root 2342 May 22 18:33 aliases
-rw-r--r-- 1 root root 10634 Sep 2 2007 antivirus.exim
-rw-rw---- 1 root mail 0 May 22 18:23 backupmxhosts
-rw-r--r-- 1 root root 1469 May 22 18:22 bashrc
-rw-r--r-- 1 root root 10992 May 23 00:52 cpanel_exim_system_filter
-rw-r--r-- 1 root root 7 May 22 18:31 cron.deny
-rw-r--r-- 1 root root 0 May 23 01:03 demouids
-rw-rw---- 1 root mail 0 May 23 01:03 domainusers
-rw-r--r-- 1 root root 41735 May 23 00:52 exim.conf
-rw-r--r-- 1 root root 24837 May 23 00:13 exim.pl
-rwxr-xr-x 1 root root 23178 May 23 00:52 exim.pl.local
-rw-r--r-- 1 root root 10 May 23 00:13 eximpopbeforesmtpwarning
-rw-r--r-- 1 root root 735 May 23 04:07 group
-rw-r--r-- 1 root root 17 Jul 23 2000 host.conf
-rw-r--r-- 1 root root 758 Sep 22 2004 inputrc
-rw-r--r-- 1 root root 42153 May 22 20:24 ld.so.cache
-rw-r--r-- 1 root root 28 Oct 8 2006 ld.so.conf
-rw-r--r-- 1 root root 0 Sep 2 2007 localaliases
-rw-r--r-- 1 root root 18 May 23 00:16 localdomains
-rw-r--r-- 1 root root 2819 May 22 17:56 localtime
-rw-r--r-- 1 root root 140192 Jan 6 2007 lynx.cfg
-rw-r--r-- 1 root root 4617 Jan 6 2007 man.config
-rw-r--r-- 1 root root 952 May 23 00:16 mtab
-rw-r--r-- 1 root root 1492 May 23 00:13 my.cnf
-rw-r--r-- 1 root root 1696 Sep 22 2004 nsswitch.conf
drwxr-xr-x 2 root root 4096 May 23 00:16 pam.d
-rw-r--r-- 1 root root 1951 May 23 04:07 passwd
-rw-r--r-- 1 root root 937 Jan 31 2006 profile
drwxr-xr-x 2 root root 4096 May 23 00:16 profile.d
-rw-r--r-- 1 root root 6108 Oct 11 2006 protocols
-rw-r--r-- 1 root root 0 May 23 04:05 relayhosts
-rw-r--r-- 1 root root 91 May 22 21:01 resolv.conf
-rw-rw---- 1 root mail 0 May 23 00:13 secondarymx
-rw-rw---- 1 root mail 0 May 22 18:23 senderverifybypasshosts
-rw-r--r-- 1 root root 362031 Feb 23 2006 services
-r-------- 1 root root 72 May 23 01:33 shadow
-rw-rw---- 1 root mail 0 May 22 18:23 skipsmtpcheckhosts
-rw-rw---- 1 root mail 0 May 22 18:23 spammeripblocks
-r--r----- 1 root root 3186 Jan 6 2007 sudoers
-rw-r--r-- 1 root root 807103 Jan 6 2007 termcap
-rw-rw---- 1 root mail 0 May 22 18:23 trustedmailhosts
-rw-rw---- 1 root mail 10 May 23 01:03 userdomains
-rw-rw---- 1 root mail 10 May 23 01:03 userdomains
/home/<my username is "xxxxx">/public_html/work
/home/<my username is "xxxxx">/public_html/work
43516
array(5) {
["sysname"]=>
string(5) "Linux"
["nodename"]=>
string(17) "duck.unixbsd.info"
["release"]=>
string(18) "2.6.18-53.1.21.el5"
["version"]=>
string(35) "#1 SMP Tue May 20 09:35:07 EDT 2008"
["machine"]=>
string(6) "x86_64"
}
array(16) {
["GLOBALS"]=>
array(16) {
["GLOBALS"]=>
*RECURSION*
["_ENV"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["HTTP_ENV_VARS"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
["_POST"]=>
array(0) {
}
["HTTP_POST_VARS"]=>
array(0) {
}
["_GET"]=>
array(0) {
}
["HTTP_GET_VARS"]=>
array(0) {
}
["_COOKIE"]=>
array(0) {
}
["HTTP_COOKIE_VARS"]=>
array(0) {
}
["_SERVER"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["HTTP_SERVER_VARS"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["_FILES"]=>
array(0) {
}
["HTTP_POST_FILES"]=>
array(0) {
}
["_REQUEST"]=>
array(0) {
}
}
["_ENV"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["HTTP_ENV_VARS"]=>
array(23) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
}
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
["_POST"]=>
array(0) {
}
["HTTP_POST_VARS"]=>
array(0) {
}
["_GET"]=>
array(0) {
}
["HTTP_GET_VARS"]=>
array(0) {
}
["_COOKIE"]=>
array(0) {
}
["HTTP_COOKIE_VARS"]=>
array(0) {
}
["_SERVER"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["HTTP_SERVER_VARS"]=>
array(31) {
["MANPATH"]=>
string(26) "/usr/lib/courier-imap/man:"
["HOSTNAME"]=>
string(17) "duck.unixbsd.info"
["SHELL"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
["TERM"]=>
string(11) "xterm-color"
["HISTSIZE"]=>
string(4) "1000"
["SSH_CLIENT"]=>
string(22) "fake.fake.fake.IP 61193 22"
["SSH_TTY"]=>
string(10) "/dev/pts/0"
["USER"]=>
string(5) "<my username is "xxxxx">"
["LS_COLORS"]=>
string(440) "no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:"
["PATH"]=>
string(129) "/usr/kerberos/bin:/usr/lib/courier-imap/bin:/usr/local/bin:/bin:/usr/bin:/home/<my username is "xxxxx">/bin:/home/<my username is "xxxxx">/django/django_src/django/bin"
["MAIL"]=>
string(21) "/var/spool/mail/<my username is "xxxxx">"
["PWD"]=>
string(28) "/home/<my username is "xxxxx">/public_html/work"
["INPUTRC"]=>
string(12) "/etc/inputrc"
["DJANGO_SETTINGS_MODULE"]=>
string(18) "snoop1990.settings"
["HOME"]=>
string(11) "/home/<my username is "xxxxx">"
["SHLVL"]=>
string(1) "2"
["LOGNAME"]=>
string(5) "<my username is "xxxxx">"
["PYTHONPATH"]=>
string(65) ":/home/<my username is "xxxxx">/django/django_src:/home/<my username is "xxxxx">/django/django_projects"
["SSH_CONNECTION"]=>
string(36) "fake.fake.fake.IP 61193 208.87.241.96 22"
["LESSOPEN"]=>
string(24) "|/usr/bin/lesspipe.sh %s"
["G_BROKEN_FILENAMES"]=>
string(1) "1"
["_"]=>
string(18) "/usr/local/bin/php"
["OLDPWD"]=>
string(23) "/home/<my username is "xxxxx">/public_html"
["PHP_SELF"]=>
string(5) "2.php"
["SCRIPT_NAME"]=>
string(5) "2.php"
["SCRIPT_FILENAME"]=>
string(5) "2.php"
["PATH_TRANSLATED"]=>
string(5) "2.php"
["DOCUMENT_ROOT"]=>
string(0) ""
["REQUEST_TIME"]=>
int(1211540930)
["argv"]=>
array(1) {
[0]=>
string(5) "2.php"
}
["argc"]=>
int(1)
}
["_FILES"]=>
array(0) {
}
["HTTP_POST_FILES"]=>
array(0) {
}
["_REQUEST"]=>
array(0) {
}
}
|
It all looks quiet interesting, but can you tell me what to look for ? so I can do it on my own the next time (on another server). I don't want to end up like one of those script kids I want to understand what I am doing. My aim is to fix the holes, but to fix them I first need to find them ... |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 11:27 am |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
Ok, it seems like I am going to understand some parts, you search for a password but there is no password file in the public_html directory. The interesing files are in /home/<username>/ instead of /home/<username>/public_html ... but if I try to open the .htpasswds I only get an empty vi (text editor). If I open the ".lastlogin" file there is my Ip in it, that seems to be corret, then I have a .bash_history file which is also easy to guess and an .bash_profile file, but I am not sure if this is integrated, cause I am no sure if I already have the option to have such a file in my home directory, on the old server I had, but I am not sure if it is the same, cause all data was deleted and as you see the php was set up yesterday. So I guess I do not have access to .bash_profile at the moment (or it is not integrated). By the way my django (python) project also sucks and complains about errors which as far as I understand also depend on this file. I contacted the support but I guess that takes some time like it always does. By the way the cpanel access is also still missing, only ssh on my side. no cpanel no http
Regrades Snoop1990 |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 11:46 am |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
"Ok, it seems like I am going to understand some parts, you search for a password" - no, not at all! I am just showing, how to "test boundaries" of your presence in that server. Master.password does not contain passswords, they are in master.shadow (hashes of course, not plaintext).
Right now it seems like kind of *bsd jailing. Try to get some shell feedback via php, previous test got no results.
Try this:
| Code: |
<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);
echo "\n-------------------------\n";
passthru('echo test123');
echo "\n-------------------------\n";
passthru('pwd');
echo "\n-------------------------\n";
passthru('cd ..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('date');
echo "\n-------------------------\n";
?>
|
|
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 12:09 pm |
|
|
| Snoop1990 |
| Advanced user |
|
| |
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
| Code: | Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
-------------------------
test123
-------------------------
/home/fakeuser/public_html/work
-------------------------
/home/fakeuser/public_html
total 156
drwxr-x--- 14 fakeuser nobody 4096 May 23 03:12 .
drwxr-xr-x 12 fakeuser fakeuser 4096 May 23 04:17 ..
-rw-r--r-- 1 fakeuser fakeuser 562 Apr 1 06:43 .htaccess
drwxr-xr-x 2 fakeuser fakeuser 4096 Feb 2 00:48 _private
drwxr-xr-x 4 fakeuser fakeuser 4096 Feb 2 00:48 _vti_bin
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_cnf
-rw-r--r-- 1 fakeuser fakeuser 1754 Feb 2 00:48 _vti_inf.html
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_log
drwxr-x--- 2 fakeuser nobody 4096 Dec 27 21:32 _vti_pvt
drwxr-xr-x 2 fakeuser fakeuser 4096 Dec 27 21:32 _vti_txt
drwxr-xr-x 6 fakeuser fakeuser 4096 Apr 1 06:32 admin_media
drwxr-xr-x 2 fakeuser fakeuser 4096 Jan 15 10:26 cgi-bin
-rwxr-xr-x 1 fakeuser fakeuser 309 Apr 1 06:32 dispatch.fcgi
-rwxr-xr-x 1 fakeuser fakeuser 44113 Apr 1 06:32 fcgi.py
-rw-r--r-- 1 fakeuser fakeuser 38981 May 23 03:12 fcgi.pyc
drwxr-xr-x 2 fakeuser fakeuser 4096 Jan 4 03:14 images
drwxr-xr-x 4 fakeuser fakeuser 4096 Apr 1 06:32 media
-rw-r--r-- 1 fakeuser fakeuser 2453 Dec 27 21:32 postinfo.html
drwxr-xr-x 14 fakeuser fakeuser 4096 Mar 10 16:42 rails
drwxr-xr-x 2 fakeuser fakeuser 4096 May 23 04:53 work
-------------------------
Fri May 23 04:54:17 PDT 2008
-------------------------
|
Ok here we go. I again replaced my user name, this time it is fakeuser.
To answer some questions about the files and folders you might have.
_private, _vti_bin, _vti_cnf, vti_inf.html, _vti_log, _vti_pvt, _vti_txt and postinfo.html are files my host stores on this space, as far as I know they contain something that belongs to frontpage (Microsoft) but I am not sure about this, I don't use them.
admin_media, dispatch.fcgi, fcgi.py, fcgi.pyc and media are parts of my django (python) webdevelopment project. They belong to project files which are stored in /home/username/django/ . The rails folder contains one ruby on rails project I did, a small blog, but it was not really fast although I used fcgi.
work is the folder I use for this project, it contains the snippets you gave me.
images and cgi-bin are empty folders (as far as I know), I do not need them but since they are on there by default I left them. (by the way i activated cgi and fcgi in the hole public_html folder, via .htaccess.
About the jailshell, you are right each time I login first a jailshell starts, I then type bash to get my bash shell but I think it is blocked as well. |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 12:16 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
ok, digg deeper:
| Code: |
<?php
error_reporting(E_ALL);
ini_set('display_errors',true);
ini_set('log_errors',false);
echo "\n-------------------------\n";
passthru('cd ../..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('cd ../../..;pwd;ls -al;');
echo "\n-------------------------\n";
passthru('cd ../../../..;pwd;ls -al;');
echo "\n-------------------------\n";
var_dump(posix_getpwuid(posix_geteuid());
echo "\n-------------------------\n";
?>
|
|
|
Last edited by waraxe on Fri May 23, 2008 12:55 pm; edited 2 times in total |
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2 Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
