Local Attacks: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Lphanvan (talk | contribs)
Edmund (talk | contribs)
mNo edit summary
 
(167 intermediate revisions by one other user not shown)
Line 1: Line 1:
==   1. Propositions, logical operations and compound propositional statements ==
= Abstract =
This article will be concerned about one of the common hacking methods in recent decades or even nowadays it is still being used by attackers. Its named Local Attack, this name is not the international official name for it. It was called by many Vietnamese Hackers, by somehow I realized it's quite good to describe partly of this attack method, so I'd like to take this name to be " our speaking" at least in this article. "This name is not available in google if you type by English "   
 
 
I will illustrate the definition of Local Attack as well as the difficulties we will be suffered when we apply it beside its powerful. I will be talking detail step by step belongs with the certain knowledge what we need to know basically to do much straightforwardly and more understand its purpose. The knowledge requirement will be not hard to stop you getting the most powerful of hacking such as Web App, Linux command lines, Networking, etc.
 
Because of the security of our website and server, I will not show the php shell link in this article. I apologize for this inconvenient.  
 
 
Keywords : ''Hacking, Local attack ,Linux , Web App.''
 
[['''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!''''']]


What is Propositions?  
= Local Attack Introduction=
            A proposition (or statement) is a declarative statement that is either true (T) or false (F), but not both.  
 
           
==What is Local Attack?==
Example:
 
the cloud in sky, 3+1=4
In generally, once we host the website to server, after that the user will be provided an " user account" and the directory/folder to mange their website. For instance, the first user has a website "A" and one directory/folder : /home/user1 to manage first user Similarly, the second user has a website "B" and one directory/folder /home/user2 to manage.
 
Local attack is the method which is applied to hack a website in the same server. For example, I want to attack website "A" from user 1, but unfortunately I could not find out the vulnerabilities to exploit and get an lien from it that means I have no way to attack based on this site "A". So, I will look for the websites which are being on the same server  with "A", could be website "B" or "C".
 
Based on site "B" or "C" both of them are getting some vulnerabilities or another words is " hackable ". After getting the authorities on these site "B" or "C", I will upload the php file named " Shell " to the server of "B" or "C" it's also the server of website "A". The hacking process is starting from now.....
 
                                          [[File:Local1.png]]
   
   
                                                                    ''Firgure 1: Php shell was uploaded to host of the website.''
• Axiom?
 
==Pros and Cons of Local Attack==
An axiom is a proposition that is assumed to be true (T)
 
• Logical operation & Compound propositional statements.?  
'''Pros:'''
      *Does not take a lot of time.
Many propositions are composite, that is, composed of sub-propositions and various
      *Easy to interact with the server via shell and exploit it.
connectives (see below).  
 
Such composite propositions are called compound propositions
'''Cons:'''
“and ,and “or,” above are examples of connectives (logical operations)  
      *Leave the " mark ", The administrator would be able to find where the shell comes from.
      *If the websites are using separate server, Local Attack will be gotten some certain difficult.
p and q are propositional variables or (statement variables), that is, variables that
 
=What we need to know?=
==Host and Shared-Host==
Normally for web site, its data must be stored on one server (server) is always active and connected to the internet. Storage space on the server used to store the data of the website is called the host. For a number of agencies and organizations, the hired one server for data storage is not practical website. Due to their needs is simply stored, further 1 server rental price is not cheap. Therefore, shared hosting is a reasonable choice. With shared hosting, server memory space is divided into many small hosts, and are separate from each rental. So on one server will contain data for multiple websites, and there is also a source of security for developing local attack.
==Operating System and Decentralized system==
 
The Operating system of the server must be Linux
 
'''Unlike Windows, Linux operating system has a decentralized system is complicated and strict. Linux supports three permissions to do with files :'''
 
 
r: read access (read)
 
w: right to record (write)
 
x: right to execute (execute)
 
-: not allowed
 
 
'''These rights are assigned to three subjects:'''
 
 
u: owner (owner)
 
g: group ownership (group)
 
o: the ordinary users (other)
 
 
 
''You can read more here: http://linuxcommand.org/lts0070.php''
 
==Shell==
 
Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform. In the old days, it was the only user interface available on a Unix computer. Nowadays, we have graphical user interfaces (GUIs) in addition to command line interfaces (CLIs) such as the shell.
 
On most Linux systems a program called bash (which stands for Bourne Again SHell, an enhanced version of the original Bourne shell program, sh, written by Steve Bourne) acts as the shell program. There are several additional shell programs available on a typical Linux system. These include: ksh, tcsh and zsh.
 
In this tutorial, I will use the shell php named: '''Shell r57 or c99'''. You can download it on google
 
See more here:
 
-http://linuxcommand.org/lts0010.php
 
-http://linuxcommand.org/learning_the_shell.php
 
''*I recommend you use those shells or download it in virtual machines .''
 
=How to do Local attack step by step ?=
 
1. View the list of user in server


represent propositions, just as letters are used to denote numerical variables
2. Find the config.php file


Compound propositions can be constructed from other propositions using the following logical
3. Get the login information to database


connectives:
4. Crack and change the password of admin


Negation: : ¬
5. Login and upload the shell


Conjunction: ∧
==View the list of user in server==


Disjunction: ∨
If we want to local attack a website as I mentioned before, we need to know the users on the server and which sources it is? . After that , we have able to read the config.php file of the user


Implication:
The command line to get the user:


Biconditional: ↔
cat /etc/passwd


== 2.  Classification of compound propositions: tautology, contradiction, contingency, logical equivalence, contrapositive, converse.  ==
Some cases, If the above command line does not show the user list, we could try this:


A proposition is satisfiable if its truth table contains the value T at least once.
  ls -l /home/
   
A proposition is a tautology if it is always true.
A proposition is a contradiction if it is always false.
A proposition is a contingency if it is satisfiable but not a tautology
Two propositions p and q are logically equivalent, denote p ≡ q, if p ↔ q .
                              Example 1: p ≡ ¬¬ p.
                              Example 2: p → q ≡ ¬ p ∨ q.
Let p and q denote two arbitrary propositions, the proposition ¬q → ¬p is the contrapositive of
the proposition p → q.
Let p and q denote two arbitrary propositions, the proposition q → p is the converse of the
proposition p → q.
                              Proposition: q → p 6≡ p → q


== 3. Algebra of propositions.  ==
If the server ban to cat the passwd, use could use these command lines:


Domination laws                  p ∨ T ≡ T , p ∧ F ≡ F
less /etc/passwd
./cat/etc/passwd


Identity laws                        p ∧ T ≡ p , p ∨ F ≡ p
==Find the path file config.php==


Idemp otent laws                p ∧ p ≡ p , p ∨ p ≡ p
Depending on the sources the path file will set be default like this:
''Note: Path is the path locates from server to the site''


Involution law                      ¬(¬p) ≡ p
-With linux:
/home/user/public_html
Or other


Complement laws              p ∨ (¬p) ≡ T , p ∧ (¬p) ≡ F
-Joomla:


Commutative laws            p ∨ q ≡ q ∨ p , p ∧ q ≡ q ∧ p
path/configuration.php


Asso ciative laws                      (p ∨ q) ∨ r ≡ p ∨ (q ∨ r) , (p ∧ q) ∧ r ≡ p ∧ (q ∧ r)
-Word-Press:


Distributive law s        p ∨ (q ∧ r) ≡ (p ∨ q) ∧ (p ∨ r) , p ∧ (q ∨ r) ≡ (p ∧ q) ∨ (p ∧ r)
path/wp-config.php


Absorption laws          p ∨ (p ∧ r) ≡ p , p ∧ (p ∨ r) ≡ p


DeMorgan laws        ¬(p ∧ q) ≡ ¬p ∨ ¬q , ¬(p ∨ q) ≡ ¬p ∧ ¬q


This is the default path of those type of servers it's being used. It might be changed depended on Administrators (This is mainly due to the habits of programmers ).
A logical equivalence can b e proved by constructing the truth tables.
Known logical equivalences can b e used to prove new logical equivalences


==  4. Conjunctive and Disjunctive Normal Form of propositional statements. ==
(To search for the source path, search by keywords: "cwd", we will see similar code: "require_once (CWD. '/includes/init.php');" - This is the path defaults resulting init.php file)) ......


A formula in conjunctive normal form (CNF) is a conjunction of clauses.
==Get the information from config file==
A formula in disjunctive normal form (CNF) is a disjunction of clauses.
''This is the most difficult step of the method''


Transform the following formula into CNF: ¬( p → q) ∨ ( r → p)
===The basic command lines using for Local Attack===


-ls, dir: List the names of the files inside the folder
ls -al, ls -lia: List the names and attributes of files inside the folder 


1. Express implication by disjunction and negation
  ls -lia "/home/lphanvan/public_html/@ender/includes.config.php"
¬(¬ p∨ q) ∨ (¬r ∨ p)


2. Push negation inwards by De Morgan’s laws and involution
-sand, ./cat, less, more, tail: View contents inside the file:
(¬¬p∧¬q) ∨ (¬r ∨ p)
(p∧¬q) ∨ (¬r ∨ p)


3. Convert to CNF by associative and distributive laws
  cat "/home/lphanvan/public_html/@ender/includes/config.php"


(p∨¬r ∨ p) ∧ (¬q ∨¬r ∨ p)
-ln: Command symbolic link:


4. Optionally simplify by commutative and idempotent laws
  ln -s "/home/lphanvan/public_html/@ender/includes/config.php%20ender.ini"


(p∨¬r) ∧ (¬q ∨ (p∨¬r))
-cd: Convert directory


5. and by commutative and absorption laws


p∨¬r
For example, to navigate to the folder


== 5. Predicates and quantifiers. Bound and free variables.  ==
  cd / home / lphanvan/ public_html / @ender/ includes / itcollege


- What is Predicates?
  cd ~: Go to Facebook's home directory


Predicate is propositional function
A propositional function is a generalization of proposition:
its argument stands for en element from its domain;
its value is T or F depending on the property of its argument(s).


- Quantifier?


- The universal quantification of P (x ) is the statement
-chmod: Distribution rights for files or folders:  
”P (x ) for all values of x in the domain U.”
Example: Let P (x ) be the statement ”x + 1 > x” and domain is Z. Then the quantification ∀xP (x )
is true


- The existential quantification of P (x ) is the statement
  chmod 400 config.php (working in the directory where the file includes config.php)
”There exists an element x in the domain U such that P (x ).”
Example: Let P (x ) be the statement ”x > 3” and domain is R. Then the quantification ∃xP (x ) is true.


*Quantifiers as conjunctions and/or disjunctions
-mkdir: create directory:


If the domain is finite then universal/existential quantifiers can b e expressed by conjunctions/disjunctions.


If the domain U = {1 , 2 , 3 , 4}, then
For me, I want to create a folder in the directory includes: 
I ∀xP ( x ) = P (1) ∧ P(2) ∧ P(3) ∧ P(4), and
I ∃xP(x) = P(1) ∨ P(2) ∨ P(3) ∨ P(4).


*The quantifiers ∀ and ∃ have higher precedence than all logical operators from propositional calculus
  mkdir / home / lphanvan/ public_html / @ ender/ includes / itcollege


-touch: Create file:


-What is bound and free Variables?
  touch /home/lphanvan/public_html/@ender/includes/itcollege.php


Variables in the scope of some quantifier are called bound variables. All other variables in
-tar, tip: compress and uncompress command: often used in root symlink  
the expression are called free variables.
   
Example:
In the statement ∃x (x + y = 1), the variable x is bound, but the variable y is free;
In the statement ∃x(P(x) ∧ Q(x)) ∨ ∀xR(x), all variables are bound


== 6. Logical equivalences for quantifiers. ==
  tar -zcvf enderhacked.tar.gz soleil (Compressed file folder enderhacked.tar.gz ender)


- Statements involving predicates and quantifiers are logically equivalent . if and only if they have the same truth value
  tar -zxvf enderhacked.tar.gz (unzip files enderhacked.tar.gz)


- We use the notation S ≡ T to indicate that two statements S and T involving predicates and quantifiers are logically equivalent
See more here: http://linuxcommand.org/lts0070.php
Example : ∀x .¬¬ S ( x ) ≡ ∀ x . S ( x )


De Morgan’s law for quantifiers
===Some techniques to get useful information from config.php===
De Morgan's laws are a pair of transformation rules relating the set operators "union" and "intersection" in terms of each other by means of negation.


== 7. Propositional calculus PC. Derivation in classical logic. ==
1-Using the cat command, dim to see the folder name, file and read the file contents.
Example: dir / home / lphanvan/ public_html / includes


The standard logical constants of PC =
cat /homme/lphanvan/public_html/includes/config.php


¬ = not
But now the majority of servers are not allowed to exercise this function should apply this method will not work,


& = and


v = or
2-Using Symbolic links - Referred to as symlink


→ = if…, then…


↔ = if and only if (iff)
Symbolic links are basic techniques, and almost as important that the majority of the first attaker think before doing work local attack. 


== 8. Semantics of predicate calculus. Validity and satisfiability of predicate statements. ==
  ln -s "/ home / lphanvan/ public_html / @ ender/ includes /config.php% itcollege.ini "


-Semantics of predicate calculus
It can be understood simply create one file on the host itcollege.ini with identical content lphanvan config.php file on the server with the user's path
In the semantics of propositional logic, we assigned a truth value to each atom. In predicate logic, the smallest unit to which we can assign a truth value is a predicate P(t 1, t2, . . . , tn) applied to terms.


But we cannot arbitrarily assign a truth value, as we did for propositional atoms. There needs to be some consistency. We need to assign values to variables in appropriate contexts, and meanings to functions and predicates. Intuitively, this is straightforward, but we must define such things precisely in order to ensure consistency of interpretation.
  "/home/lphanvan/public_html/@ender/includes/config.php"


2 Example In Module 5, we considered the formula ∀x(P(x) ∧ ¬Q(x) → R(x)) .


Our interpretation of this statement was, “Every student who took CS245, but did not pass CS245, failed CS245.” Under this interpretation, x ranges over all students (say, at UW). So, since x is a placeholder for a term, terms t denote UW students. P, Q, and R, then are properties of students. We can think of them as B-valued functions on UW students:
P(x) = “x took CS245”,


Q(x) = “x passed CS245”,
''You can read more detail here: http://linuxcommand.org/learning_the_shell.php''


R(x) = “x failed CS245” 3
==Cracking and Changing the admin's password !!!!==


More abstractly, P, Q, and R are sets: P = {students who took CS245} Q = {students who passed CS245} R = {students who failed CS245} Then P(x) is shorthand for x ∈ P, and similarly for Q and R.
In this case the admin's password does not be encoded by hash, so you do not need to crack it. In many cases, the content would not be showed and the password will be in hash.


You have gotten the admin account and password as the picture below by using command line.


-An assertion in predicate calculus is '''logically valid''' (or simply valid) if it is true in every interpretation, that is iff it is true
  cat /etc/home/lphanvan/public_html/config.php


+for all domains
                                                   
                                                    [[File:Pass.png]]
                                                                          Figure 2: See the content of config.php " cat /etc/home/lphanvan/public_html/config.php "


+for every propositional functions substituted for the predicates in the assertion
                                                                       
                                                               


Example: ∀x .( P( x) ∨¬ P( x))
Now, let's login to database of website


                                                    [[File:Dtb.png]]
                                                                                        Figure 3: Login to database via shell


- An assertion in predicate calculus is '''satisfiable''' iff it is true
=How to avoid Local Attack?=
In my opinions, Local attack is one of dangerous attacking methods I have used so far. Below are my experiences to avoid the Local attack:


+for some domain


+for some propositional functions that can be substituted for the predicates in the assertion
- Should not use the source code when we do not know where it comes from, malicious code might be attached.


Example: ∀x .∃ y . P ( x , y ) is satisfiable
- Checking the update of source codes as well as server to fix vulnerability frequently.


== 9. Sequent predicate calculus LK. ==
- Change the password to be stronger and hard to brute force.


This section introduces the rules of the sequent calculus LK, as introduced by Gentzen in 1934.A (formal) proof in this calculus is a sequence of sequents, where each of the sequents is derivable from sequents appearing earlier in the sequence by using one of the rules below (inference rule)
- Set chmod 400 for sensitive files and 101 for folders.
The following notation will be used:


[[File:Inference.png]]
- Use VPS instead of using host to avoid local attack.


== 10. Proof techniques. Constructive and non-constructive proofs. ==
- Data back up and scan the data to realize it's having malicious code or not.  


'''”Trivial” proofs'''


If we know ∀x Q(x) is true, then ∀x (P(x) → Q(x)) is true as well
These are my experiences to avoid Local Attack. Surely, It might not a perfect way to avoid, but at least it could help us to reduce the risk.


For all x ∈ N, if x is even, then x = x
=References=


'''”Vacuous” proof'''
'''English Websites'''


If we know ∀x ¬P(x) is true, then ∀x P(x) → Q(x) is true as well.
''http://linuxcommand.org/lts0010.php''


For all x ∈ N, if x < x, then x is even
''http://linuxcommand.org/learning_the_shell.php''


'''Contraposition'''
''http://linuxcommand.org/lts0070.php''


Let u ∈ U. Prove that ¬Q(u) → ¬P(u). By equivalence of a statement with it contrapositive
'''Vietnamese Websites'''
derive that P(u) → Q(u). Finally by universal generalization we can conclude that


∀x (P(x) → Q(x)).
''http://kechocgian.blogspot.com.ee/2013/08/huong-dan-tong-hop-chi-tiet-co-ban-nhat.html''


For all integers x and y, if x + y is even, then x and y have the same
''http://namcoder.com/hack-local-attack-va-cach-phong-tranh/''
parity


'''Proof by contradiction'''
''http://duyk.net/topic/20-Huong-dan-local-attack-voi-mot-so-phuong-phap-co-ban''


To prove that P is true, we assume that it is not. That is we assume ¬P, and then prove both
'''Video'''


R and ¬R. But for any proposition R, R ∧ ¬R ≡ F. So we have shown that ¬P → F. The only
''https://www.youtube.com/watch?v=RcusKpvKR_w''
way this implication can be true is if ¬P is false, i.e. P is true.
√2 is irrational.


=See more=
You might want to see more:


'''Proof by cases'''
'''https://www.youtube.com/watch?v=FjgKtBAiLKQ'''
A proof by cases must cover all possible cases that arise in a theorem. We
illustrate proof by cases with a couple of examples. In each example, you
should check that all possible cases are covered.


[[File:Example1.png]]
'''https://www.youtube.com/watch?v=6hJ-d2NYLBg'''


'''Constructive and non-constructive proofs'''
'''https://www.youtube.com/watch?v=HpY6JxIzs1g'''


''Constructive proof of ∃ x P ( x )''
=Conclusion=


Find an explicit value of u ∈ U, for which P(u) is true
As what I wrote above are an outline of the Local Attack method which attackers can use their php shell to exploit not even one website it could be all of websites are standing in a same server. In which the attack can execute the command line to your server to find out the password of your database or host. Get Root access is possible if the Linux server are not being updated. Those steps above might not be used successfully in some cases, because it depends on the configuration of administrator and the version of server is setting up.
There exists a positive integer that can b e written as the sum of
cubes of positive integers in two different ways


Example: Pr of. 1729 is such a number since 1729 = 10 3 + 9 3 = 12 3 + 1 3.
=Contact=


''non-constructive proofs''
If you want to know more about this method, please do not be hesitated to keep in touch with me :D


In a non-constructive existence pro of, we prove that there must exist a u ∈ U exists which


makes P(u) without actually finding this u.
Ender Phan- Cyber Security Engineering- C11


Example: There exist some irrational numb ers x and y such that x y is rational.


'''Proof by counter-examples'''
The Estonian Information Technology College


Recall ∃x ¬P(x) ≡ ¬∀x P(x).
To establish that ¬∀x P(x) is true (or is false) find a u ∈ U such that ¬P(u) is true or


P(u) is false.
Email: lphanvan@itcollege.ee


Example: Every positive integer is the sum of the squares of 3 integers


== 11. Proofs by contraposition and contradiction. ==
My site: cybercoffee.xyz


Look at number 10 :D ( now is 2:19 am, so sleepy, wanna go to bed T__T , but gotta do 9 more questions )


== Local Attack - Website  ==
[['''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!''''']]


test
[[Category:Operatsioonisüsteemide administreerimine ja sidumine]]

Latest revision as of 23:43, 29 January 2017

Abstract

This article will be concerned about one of the common hacking methods in recent decades or even nowadays it is still being used by attackers. Its named Local Attack, this name is not the international official name for it. It was called by many Vietnamese Hackers, by somehow I realized it's quite good to describe partly of this attack method, so I'd like to take this name to be " our speaking" at least in this article. "This name is not available in google if you type by English "


I will illustrate the definition of Local Attack as well as the difficulties we will be suffered when we apply it beside its powerful. I will be talking detail step by step belongs with the certain knowledge what we need to know basically to do much straightforwardly and more understand its purpose. The knowledge requirement will be not hard to stop you getting the most powerful of hacking such as Web App, Linux command lines, Networking, etc.

Because of the security of our website and server, I will not show the php shell link in this article. I apologize for this inconvenient.


Keywords : Hacking, Local attack ,Linux , Web App.

'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''

Local Attack Introduction

What is Local Attack?

In generally, once we host the website to server, after that the user will be provided an " user account" and the directory/folder to mange their website. For instance, the first user has a website "A" and one directory/folder : /home/user1 to manage first user Similarly, the second user has a website "B" and one directory/folder /home/user2 to manage.

Local attack is the method which is applied to hack a website in the same server. For example, I want to attack website "A" from user 1, but unfortunately I could not find out the vulnerabilities to exploit and get an lien from it that means I have no way to attack based on this site "A". So, I will look for the websites which are being on the same server with "A", could be website "B" or "C".

Based on site "B" or "C" both of them are getting some vulnerabilities or another words is " hackable ". After getting the authorities on these site "B" or "C", I will upload the php file named " Shell " to the server of "B" or "C" it's also the server of website "A". The hacking process is starting from now.....

                                          

                                                                    Firgure 1: Php shell was uploaded to host of the website.

Pros and Cons of Local Attack

Pros:

     *Does not take a lot of time.
     *Easy to interact with the server via shell and exploit it.

Cons:

     *Leave the " mark ", The administrator would be able to find where the shell comes from.
     *If the websites are using separate server, Local Attack will be gotten some certain difficult.

What we need to know?

Host and Shared-Host

Normally for web site, its data must be stored on one server (server) is always active and connected to the internet. Storage space on the server used to store the data of the website is called the host. For a number of agencies and organizations, the hired one server for data storage is not practical website. Due to their needs is simply stored, further 1 server rental price is not cheap. Therefore, shared hosting is a reasonable choice. With shared hosting, server memory space is divided into many small hosts, and are separate from each rental. So on one server will contain data for multiple websites, and there is also a source of security for developing local attack.

Operating System and Decentralized system

The Operating system of the server must be Linux

Unlike Windows, Linux operating system has a decentralized system is complicated and strict. Linux supports three permissions to do with files :


r: read access (read)

w: right to record (write)

x: right to execute (execute)

-: not allowed


These rights are assigned to three subjects:


u: owner (owner)

g: group ownership (group)

o: the ordinary users (other)


You can read more here: http://linuxcommand.org/lts0070.php

Shell

Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform. In the old days, it was the only user interface available on a Unix computer. Nowadays, we have graphical user interfaces (GUIs) in addition to command line interfaces (CLIs) such as the shell.

On most Linux systems a program called bash (which stands for Bourne Again SHell, an enhanced version of the original Bourne shell program, sh, written by Steve Bourne) acts as the shell program. There are several additional shell programs available on a typical Linux system. These include: ksh, tcsh and zsh.

In this tutorial, I will use the shell php named: Shell r57 or c99. You can download it on google

See more here:

-http://linuxcommand.org/lts0010.php

-http://linuxcommand.org/learning_the_shell.php

*I recommend you use those shells or download it in virtual machines .

How to do Local attack step by step ?

1. View the list of user in server

2. Find the config.php file

3. Get the login information to database

4. Crack and change the password of admin

5. Login and upload the shell

View the list of user in server

If we want to local attack a website as I mentioned before, we need to know the users on the server and which sources it is? . After that , we have able to read the config.php file of the user

The command line to get the user:

cat /etc/passwd

Some cases, If the above command line does not show the user list, we could try this:

ls -l /home/

If the server ban to cat the passwd, use could use these command lines:

less /etc/passwd
./cat/etc/passwd

Find the path file config.php

Depending on the sources the path file will set be default like this: Note: Path is the path locates from server to the site

-With linux:

/home/user/public_html

Or other

-Joomla:

path/configuration.php

-Word-Press:

path/wp-config.php


This is the default path of those type of servers it's being used. It might be changed depended on Administrators (This is mainly due to the habits of programmers ).

(To search for the source path, search by keywords: "cwd", we will see similar code: "require_once (CWD. '/includes/init.php');" - This is the path defaults resulting init.php file)) ......

Get the information from config file

This is the most difficult step of the method

The basic command lines using for Local Attack

-ls, dir: List the names of the files inside the folder ls -al, ls -lia: List the names and attributes of files inside the folder

 ls -lia "/home/lphanvan/public_html/@ender/includes.config.php"

-sand, ./cat, less, more, tail: View contents inside the file:

 cat "/home/lphanvan/public_html/@ender/includes/config.php"

-ln: Command symbolic link:

 ln -s "/home/lphanvan/public_html/@ender/includes/config.php%20ender.ini"

-cd: Convert directory


For example, to navigate to the folder

 cd / home / lphanvan/ public_html / @ender/ includes / itcollege
 cd ~: Go to Facebook's home directory


-chmod: Distribution rights for files or folders:

 chmod 400 config.php (working in the directory where the file includes config.php)

-mkdir: create directory:


For me, I want to create a folder in the directory includes:

 mkdir / home / lphanvan/ public_html / @ ender/ includes / itcollege

-touch: Create file:

 touch /home/lphanvan/public_html/@ender/includes/itcollege.php

-tar, tip: compress and uncompress command: often used in root symlink

 tar -zcvf enderhacked.tar.gz soleil (Compressed file folder enderhacked.tar.gz ender)
 tar -zxvf enderhacked.tar.gz (unzip files enderhacked.tar.gz)

See more here: http://linuxcommand.org/lts0070.php

Some techniques to get useful information from config.php

1-Using the cat command, dim to see the folder name, file and read the file contents.

Example: dir / home / lphanvan/ public_html / includes
cat /homme/lphanvan/public_html/includes/config.php

But now the majority of servers are not allowed to exercise this function should apply this method will not work,


2-Using Symbolic links - Referred to as symlink


Symbolic links are basic techniques, and almost as important that the majority of the first attaker think before doing work local attack.

 ln -s "/ home / lphanvan/ public_html / @ ender/ includes /config.php% itcollege.ini "

It can be understood simply create one file on the host itcollege.ini with identical content lphanvan config.php file on the server with the user's path

 "/home/lphanvan/public_html/@ender/includes/config.php"


You can read more detail here: http://linuxcommand.org/learning_the_shell.php

Cracking and Changing the admin's password !!!!

In this case the admin's password does not be encoded by hash, so you do not need to crack it. In many cases, the content would not be showed and the password will be in hash.

You have gotten the admin account and password as the picture below by using command line.

 cat /etc/home/lphanvan/public_html/config.php


                                                   
                                                                          Figure 2: See the content of config.php " cat /etc/home/lphanvan/public_html/config.php "



Now, let's login to database of website

                                                   
                                                                                       Figure 3: Login to database via shell

How to avoid Local Attack?

In my opinions, Local attack is one of dangerous attacking methods I have used so far. Below are my experiences to avoid the Local attack:


- Should not use the source code when we do not know where it comes from, malicious code might be attached.

- Checking the update of source codes as well as server to fix vulnerability frequently.

- Change the password to be stronger and hard to brute force.

- Set chmod 400 for sensitive files and 101 for folders.

- Use VPS instead of using host to avoid local attack.

- Data back up and scan the data to realize it's having malicious code or not.


These are my experiences to avoid Local Attack. Surely, It might not a perfect way to avoid, but at least it could help us to reduce the risk.

References

English Websites

http://linuxcommand.org/lts0010.php

http://linuxcommand.org/learning_the_shell.php

http://linuxcommand.org/lts0070.php

Vietnamese Websites

http://kechocgian.blogspot.com.ee/2013/08/huong-dan-tong-hop-chi-tiet-co-ban-nhat.html

http://namcoder.com/hack-local-attack-va-cach-phong-tranh/

http://duyk.net/topic/20-Huong-dan-local-attack-voi-mot-so-phuong-phap-co-ban

Video

https://www.youtube.com/watch?v=RcusKpvKR_w

See more

You might want to see more:

https://www.youtube.com/watch?v=FjgKtBAiLKQ

https://www.youtube.com/watch?v=6hJ-d2NYLBg

https://www.youtube.com/watch?v=HpY6JxIzs1g

Conclusion

As what I wrote above are an outline of the Local Attack method which attackers can use their php shell to exploit not even one website it could be all of websites are standing in a same server. In which the attack can execute the command line to your server to find out the password of your database or host. Get Root access is possible if the Linux server are not being updated. Those steps above might not be used successfully in some cases, because it depends on the configuration of administrator and the version of server is setting up.

Contact

If you want to know more about this method, please do not be hesitated to keep in touch with me :D


Ender Phan- Cyber Security Engineering- C11


The Estonian Information Technology College


Email: lphanvan@itcollege.ee


My site: cybercoffee.xyz


'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''