Go Back   Xisp.org Forums > Porn Password Cracking > Cracking Tutorials

Exploit Lesson 2

Reply
Views: 6292 - Replies: 38  
Thread Tools Display Modes

Exploit Lesson 2
Old 01-12-2005, 08:05 PM   #1
slysnake
Cheshire Cat
 
slysnake's Avatar
 
slysnake is offline Offline
Join Date: Jan 2005
Posts: 5,507
Threads: 315
slysnake is on a distinguished road
Default Exploit Lesson 2

Earlier I wrote an article on first steps in exploiting. Looking for weak directories. At that time I was asked if there would be a series of such articles. I donít know what the future holds...but here is article two if anyone is interested.

Again I think I can get away with putting this in public because it is basicly harmless. But it can be vital information for understanding how things work.



Exploiting step 2 Directory Transversal

Right...What the hell is that?

It is good at this point to understand a little about directory structures in unix. Why unix? Because most servers holding the information you want will be running it. Unix is often referred to as using a directory tree structure. The root of the tree is / . The location of any file on this tree is described as itís path. That is what is meant when you put a path in Triton. You are looking for a specific place on a server to see if it is open. So lets say we want the add-pass.cgi of a site. We might find it at this kind of a path /home/somesite.com/cgi-bin/add-pass.cgi. Or in URL form, http://www.somesite.com/cgi-bin/add-pass.cgi. So in Triton you put http://somesite.com as the site and /cgi-bin/add-pass.cgi in the path section.

The next thing that is important to know is that in the unix directory structure . (dot) represents the directory you are in and .. (two dots) represents the next directory back on the tree. This is really the key. You will see how in just a minute. But first.......

What do we ultimately want? Why the passfile of course. But where is it???

The passfile will be kept in a directory that you canít access directly. It is often called .htpasswd but doesnít have to be. Now if it couldnít be accessed then members couldnít connect to the site and it would soon go out of business. So there is a special file that leads to the .htpasswd file. It is called .htaccess. If we can see this file we will know where the passfile is. But unless the webmaster is a real idiot this file will not be allowed for us to read, so how can we see it??

Letís look at the URL of a site. http://www.somesite.com. Take out the http:// and this is basicly a path to a place on the server. Think of it as /home/www/somesite.com. Anything added is a new place on the tree, like the members section for instance /home/www/somesite.com/members. Or if the site has some samples on the first page you might see something like this as a URL http://www.somesite.com/sample.php?file=2.

In this example the sample.php is a script that is going to retrieve a picture file for us, file 2.

Hmmmm....If the script will fetch that file for us perhaps it will fetch a different file. Lets try http://www.somesite.com/sample.php?file=.htaccess. Nope, just returns ďYou are not authorizedĒ. Damn. But wait! We know the .htaccess file is located in the members directory because it has to be world reachable yet at the same time restricted so we canít see it. (OK this is a simplification. Experienced exploiters need to look the other way here. hehe) So letís try http://www.somesite.com/sample.php?file=members/.htaccess. Nope, Still didnít work. But since we understand the directory structure of unix, what if we try http://www.somesite.com/sample.php?file=../members/.htaccess
AHH!!! It worked. What happened? By putting in the ../ we transversed back a directory in the tree and the file was opened.

Now the bad news. It is pretty rare for this to work in real life these days. This fault is well known and has been compensated for long ago. Still the knowlege if the directory structure of unix will be invaluable as you move into higher level exploits and if you obtain access to a server.

Did this seem complex? This is only level 2! It gets a lot harder after this. Best thing to do at this point is find some information about unix, directory structure, and, most importantly, unix commands. Because your going to need those at the next level. CGI exploiting.
__________________
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
  Reply With Quote

Old 01-12-2005, 08:06 PM   #2
slysnake
Cheshire Cat
 
slysnake's Avatar
 
slysnake is offline Offline
Join Date: Jan 2005
Posts: 5,507
Threads: 315
slysnake is on a distinguished road
Default

Let me add just a little to what I said above. As I said, URL manipulation to get the file to show is pretty rare in real life. But it is there on a few sites. Basicly you need to look for a file being opened. Say a series of pictures is being opened by a cgi or php program in a template. Then by using the method discribed you might get the passfile to be displayed in the template instead. Sometimes this will take some educated guess work on where the file may be located. Because it may be masked and not in the "default" locations.
__________________
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
  Reply With Quote

Old 01-15-2005, 07:54 AM   #3
ChaosWing
Guest
 
Posts: n/a
Threads: 5107
Default

thanks very much slysnake
love ur tutorial
need to strengthen my basic :D
  Reply With Quote

Old 01-16-2005, 01:20 AM   #4
Darkmoon
Guest
 
Posts: n/a
Threads: 5107
Default

the tut is appreciated ,thx sly bro for ur kind sharing!~
  Reply With Quote

Old 01-19-2005, 08:32 PM   #5
toniii
Guest
 
Posts: n/a
Threads: 5107
Default

Thanks a lot for the tut!!
  Reply With Quote

Old 01-25-2005, 06:29 AM   #6
inc71
Guest
 
Posts: n/a
Threads: 5107
Default

THX this also looks very useful :)
  Reply With Quote

Old 01-25-2005, 02:28 PM   #7
lazo
Guest
 
Posts: n/a
Threads: 5107
Default

great information m8 thank you
  Reply With Quote

Old 01-25-2005, 03:57 PM   #8
xaviercitten
Guest
 
Posts: n/a
Threads: 5107
Default

Thanks a lot for the tut! It's really appreciated.

  Reply With Quote

Old 01-29-2005, 02:14 AM   #9
lonelysoul
Guest
 
Posts: n/a
Threads: 5107
Default

Thanks for a great lesson.
  Reply With Quote

Old 02-06-2005, 10:30 PM   #10
kibojava
Guest
 
Posts: n/a
Threads: 5107
Default

thx it is a basic but we all must atrat from that point does it work for m$
  Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



All times are GMT -4. The time now is 08:00 AM.


vBulletin skin developed by: Xisp.org Crew
Powered by vBulletin®
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
2005 © Copyright Xisp.org