Local Attacks

From ICO wiki
Jump to navigationJump to search

Abstract

This article will be concerning about one of the common hacking methods in recent decades or even nowadays it is still being used by attackers. Its named Local Attack, this name is not the international official name for it. It was called by many Vietnamese Hackers, by somehow I realized it's quite good to describe partly of this attack method, so I'd like to take this name to be " our speaking" at least in this article. "This name is not available in google if you type by English "

I will illustrate the definition of Local Attack as well as the difficult we will be suffered in during the time using it beside its powerful. I will be talking detail step by step belongs with the certain knowledge what we need to know basically to do much straightforwardly and more understand its purpose. The knowledge requirement will be not hard to stop you getting the most powerful of hacking such as Web App, Linux command lines, Networking, etc.

Keywords : Hacking, Local attack ,Linux , Web App.

'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''

Local Attack Introduction

What is Local Attack?

In generally, once we host the website to server, after that the user will be provided an " user account" and the directory/folder to mange their website. For instance, the user 1 has a website "A" and one directory/folder : /home/user1 to manage user 1. Similarly, the user 2 has a website "B" and one directory/folder /home/user2 to manage.

Local attack is the the method which is applied to hack a website in the same server. For example, I want to attack website "A" from user 1, but unfortunately I could not find out the vulnerabilities to exploit and get an lien from it, that means I have no way to attack based on this site "A". So, I will look for the websites which are being on the same server with "A", could be website "B" or "C".

Based on site "B" or "C", the both of them are getting some vulnerabilities or another words is " hackable ". After getting the authorities on those site "B" or "C", I will upload the php file named " Shell " to the server of "B" or "C" it's also the server of website "A". The hacking process is starting from now.....

                                          

                                                                    Firgure 1: Php shell was uploaded to host of the website.

Pros and Cons of Local Attack

Pros:

     *Does not take a lot of time.
     *Easy to interact with the server via shell and exploit it.

Cons:

     *Leave the " mark ", The administrator would be able to find where the shell comes from.
     *The websites are using separate server does not help much.

What we need to know?

Host and Shared-Host

Normally for web site, its data must be stored on one server (server) is always active and connected to the internet. Storage space on the server used to store the data of the website is called the host. For a number of agencies and organizations, the hired one server for data storage is not practical website. Due to their needs is simply stored, further 1 server rental price is not cheap. Therefore, shared hosting is a reasonable choice. With shared hosting, server memory space is divided into many small hosts, and are separate from each rental. So on one server will contain data for multiple websites, and there is also a source of security for developing local attack.

Operating System and Decentralized system

The Operating system of the server must be Linux

Unlike Windows, Linux operating system has a decentralized system is complicated and strict. Linux supports three permissions to do with files :


r: read access (read)

w: right to record (write)

x: right to execute (execute)

-: not allowed


These rights are assigned to three subjects:


u: owner (owner)

g: group ownership (group)

o: the ordinary users (other)


Character One: identify the type of file.

-: regular files (text, binary, executed file)

d: folder

c / b: device file

l: file link

next 9 characters: define permissions to read, write, execute for the owner, ownership and user groups remaining.

Change group / owner: chown, chgrp Performed by root or their respective owners.

Shell

Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform. In the old days, it was the only user interface available on a Unix computer. Nowadays, we have graphical user interfaces (GUIs) in addition to command line interfaces (CLIs) such as the shell.

On most Linux systems a program called bash (which stands for Bourne Again SHell, an enhanced version of the original Bourne shell program, sh, written by Steve Bourne) acts as the shell program. There are several additional shell programs available on a typical Linux system. These include: ksh, tcsh and zsh.

In this tutorial, I will use the shell php named: Shell r57 or c99. You can download it on google

*I recommend you use those shells or download it in virtual machines .

How to do Local attack step by step ?

1. View the list of user in server

2. Find the config.php file

3. Get the login information to database

4. Crack and change the password of admin

5. Login and upload the shell

View the list of user in server

If we want to local attack a website as I mentioned before, we need to know the users on the server and which sources it is? . After that , we have able to read the config.php file of the user

The command line to get the user:

Cat /etc/passwd

Some cases, If the above command line does not show the user list, we could try this:

ls -l /home/

If the server ban to cat the passwd, use could use these command lines:

Less /etc/passwd ./cat/etc/passwd More /etc/passwd

Or in some of the shell are common now which have the get user function available on there, U just need to click and view it out.

Find the path file config.php

Depending on the sources the path file will set be default like this: Note: Path is the path locates from server to the site

-With linux:

/home/user/public_html

-Vbulletin:

path/includes/config.php

-Mybb:

path/inc/config.php

-Joomla:

path/configuration.php

-Word-Press:

path/wp-config.php

-Ibp:

path/conf_global.php

-Php-fusion:

path/config.php

-Smf:

Path/Settings.php

-Nuke:

path/config.php

-Xoops:

path/mainfile.php

-Zen Cart

Path/includes/configure.php

-path/setidio:

path/datas/config.php

-Datalife Engine:

path/engine/data/config.php 

-Phpbb:

Path/config.php

-Wordpress:

path/wp-config.php

-Seditio:

path/datas/config.php

-Drupal:

path/sites/default/settings.php

- Discuz

path/config/config_ucenter.php

- Bo-Blog

path/data/config.php

This is the default path for the open source code also for the site itself is still set or conventional path soon public_html directory (path / config.php) (This is mainly due to the habits of programmers ).

(To search for the source path, search by keywords: "cwd", we will see similar code: "require_once (CWD. '/includes/init.php');" - This is the path defaults resulting init.php file)) ......

Get the information from config file

This is the important part of Local attack

The basic command lines using for Local Attack

-Ls, Dir: List the names of the files inside the folder ls -al, ls -lia: List the names and attributes of files inside the folder Ls -lia "/home/lphanvan/public_html/@ender/includes.config.php"

-sand, ./cat, less, more, tail: View contents inside the file: [indent] Cat "/home/lphanvan/public_html/@endewr/includes/config.php"

-Ln: Command symbolic link: Ln -s "/home/lphanvan/public_html/@ender/includes/config.php%20ender.ini" -CD: Convert directory


For example, to navigate to the folder soleil " Cd / home / lphanvan/ public_html / @ender/ includes / itcollege

cd ~: Go to Facebook's home directory

cd -: Back both working directory

cd ..: Go to next folder outside working directory


-Chmod: Distribution rights for files or folders: Chmod 400 config.php (working in the directory where the file includes config.php)

-Mkdir: create directory:


For me, I want to create a folder in the directory includes: mkdir / home / lphanvan/ public_html / @ ender/ includes / itcollege

-Touch: Create file: touch /home/lphanvan/public_html/@ender/includes/itcollege.php

-Tar, Zip: compress and uncompress command: often used in root symlink Tar -zcvf enderhacked.tar.gz soleil (Compressed file folder enderhacked.tar.gz ender)

-Tar -zxvf enderhacked.tar.gz (unzip files enderhacked.tar.gz)

-r -9 enderhacked.zip ender Zip (file compression directory enderhacked.zip soleil)

-p enderhacked.zip zip (Unzip file enderhacked.tar.gz)


Some techniques to get useful information from config.php

1-Using the cat command, dim to see the folder name, file and read the file contents.

Example: dir / home / lphanvan/ public_html / includes
cat /homme/lphanvan/public_html/includes/config.php

But now the majority of servers are not allowed to exercise this function should apply this method will not work,


2-Using Symbolic links - Referred to as symlink

Symbolic links are basic techniques, and almost as important that the majority of the first attaker think before doing work local attack.

 Ln -s "/ home / lphanvan/ public_html / @ ender/ includes /config.php% itcollege.ini "

It can be understood simply create one file on the host itcollege.ini with identical content lphanvan config.php file on the server with the user's path

 "/home/lphanvan/public_html/@ender/includes/config.php"


Crack and Change the admins password !!!!

In this case the admin's password does not be encoded by hash, so you do not need to crack it. But in some case admin will not show the content of file.

Congratulation, You have got the admin and password to login to database of the server.


                                                   
                                                                   Figure 2: See the content of config.php " cat /etc/home/lphanvan/public_html/config.php "


Now, let's logging to database of server

                                                   
                                                                   Figure 3: Logging to database via shell

References

http://linuxcommand.org/lts0010.php

Conclusion

As what I wrote above are an outline of the Local Attack method which attackers can use their php shell to exploit not even one website it could be all of websites are standing in a same server. In which the attack can execute the command line to your server to find out the authentication of your database or host. Get Root access is possible if the Linux server are not being updated.

Below are my experiences to avoid Local Attack.

- Do not you the souce

Contact

If you want to know more about this method, please do not be hesitated to keep in touch with me :D


Ender Phan- Cyber Security Engineering- C11


The Estonian Information Technology College


Email: lphanvan@itcollege.ee


My site: cybercoffee.xyz


'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''