Hacking a misconfigured godaddy php server: (with no shell access)

[trevelyn]

http://weaknetlabs.com/videos/godaddy/

Well, not really hacking, more like snooping. should i back up all my files after releasing this video?

[Godot]

I have a similar script I use to play with stuff like that, but it is just use a single file, a PHP file with a form that calls itself.

I noticed you used exec() and a for loop to get and print the output. Is there a reason you did this instead of just calling system()?

[Nod]

He's TREVELYN. Of course there's a reason.

[trevelyn]

haha, well exec cuts up the output without having to use regexp's, system doesn't.  at least i don't think so.  It seems that if i use system() in the same syntax there's no formatting when the output comes out, i.e. all of the text is the first element of the array.  not sure..

and yeah after i posted the video i found the script, called "phpshell.php" or something like that. 

It just plain old sucks that Godaddy doesnt give you ssh access.  Using the above method i looked that the "/etc/passwd" fiel and saw my shell is "sh" then i did a ps aux and saw sshd running, but there's no /etc/ssh folder to hold the config file sshd_config so odd, so i figured they put it somewhere else, and i did a "cd / && find . * | grep sshd" and found nothing?  There's no nmap or nc either, i'd really like to find what port sshd is on so i can just remotely access the server.

[Godot]

system() runs the command and prints the output for you. The output isn't HTML-formatted (no
, etc.), but I just put in inside a

tag so the formatting is preserved.

Essentially, I use something like this:

Code: (command.php) [Select]

<form action=command.php method=post>
<input type=text name=command>
<input type=submit></form>
<pre><?php system($_POST['command']); ?></pre>


[trevelyn]

i love you.