Figure 17: We guessed that the file
/etc/group exists and voila! It turns up on our browser.
As you can see, guessing worked! From
the above very short group file we can guess it uses NIS authentication.
Under this system, many computers share the same password authentication
system on a central computer. Then only user names required
to run programs on that computer will be in the password file.
We confirm this when we look at the passwd file and only find
five entries.
Oh, yes, the same thing will work for
guessing /etc/passwd and many other file names.
How
to Break into Computers Using Only your Web Browser
You may have have already read about
the PHF exploit. Just in case you are the one hacker in a million
who hasn't already read about this, here's how most people try
the PHF attack. In the location window of your browser,
simply insert the command
http://victim.computer.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
You can get punched in the nose warning:
While it isn't illegal to run this command, many webservers automatically
email a complaint about you to your online service. Oh,
yes, they can tell who you are really easily. Many online
services will automatically terminate your account if they catch
you running the PHF exploit.
Usually you will only get a response
that looks like Figure 18:
Figure 18: The usual result of trying the PHF exploit. Sometimes
insults and threats will appear instead. Webmasters hate people
who try the PHF exploit.
Use of this command is proof of idiocy.
One day, looking over the logs of attacks on the Happy Hacker
web server, I was appalled to see that almost every PHF attack
used the above line of code.
If this attack had worked, these pitiful
excuses for hackers would have gotten nothing of much value.
Our password file is shadowed, and in any case the passwords
were all way too brutal to be extracted by any cracking program.
The real power of the PHF attack is
that if it works, you already have root control over the victim
computer -- through your web browser. So why bother cracking
the password file? For example, if we were lame enough
to run a webserver vulnerable to PHF attack, you could give the
command:
http://<happyhacker.org>/cgi-bin/phf?Qalias=x%0a/bin/rm%20<document
root>index.html
If it works, this would erase the main
web page of whatever web site was hosted at that particular document
root. Or the command could have been echo%20”You got hacked,
luser!”><document root>index.html. (Note
that %20 represents a space in the command string.) This
would add the phrase "You got hacked, luser!" to the
victim web site.
There are many other ways to break into
computers using your web browser. However, the basic rule
I (Carolyn Meinel) use at this web site is to not publish anything
that could lead a little kid into doing millions of dollars worth
of damage. So I've saved all the details of how to write
and run programs on other people's webservers through a web browser
for the book Uberhacker:
How to Break into Computers.
It is under production at Loompanics Unlimited and will be available
in July 2000. My theory is that it is much easier to exercise
parental supervision over the books kids read. The books cost
more money than most little kids have. Besides, if a parent sees
a kid reading a book subtitled "How to Break into Computers,"
they have got to get a clue that their kid is in severe need
of supervision.
In the meantime, have fun amazing your
friends and bumfuzzling your enemies doing the legal, harmless
things of this Guide!
Tags:
hacking
