Symlink also Called as Symbolic Link or Soft Link is a special type of file that contains a reference to another file or directory in the form of an relative path and that affects pathname motion
What Symlink can Do On Servers :
Symlink is Creating Symbolic links to other websites on the same server to read their configuration files, connect to their database, and get the information needed to get access to their Admin panel and Control Panel.
And Thats all about Symlink , Now you must cleared about Symlink :).
So Lets Move Furthur On how to Do Symlink.
In this Tutorial I will explain you Two Different methods of Symlink
Method 1 :-Manual Symlink (Without any shell)
Manual Symlink is further Divided into 2 parts
PART -1
#Creating a root symlink
#Getting all the websites on server
#Getting all the Users on The server
#Finding the User of the Website
#Dumping and Reading the Database configs
#Login into Database
#Change Password from Database
#Done
PART -2
In this part we wont symlink the root directory,
we will symlink the target's public_html dir directly
Method 2 :- Automatic Symlink (With shell)
In This Method We will Use Shells (i.e Perl and PHP Scripts) For Doing Symlink Automatically.
Note :- Symlink can be Done only at Linux Box , Windows Box Dose not Support Symlink so dont try it :P.
Method 1 : Manual Symlink (Without any shell)
PART -1
#Creating a ROOT Symlink
1) So after you Uploaded Shell On any site , open your shell ,Go to the Root Folder of Website (i.e Public_html)and make a dir called "tmp" (tmp is always writable directory), as i created below.
2) Enter your tmp directory then upload a file called ".htaccess" in the tmp directory as shown below.
Download .htaccess file here
3) After that, Execute the command in the shell below to create a root symlink in tmp Directory
CMD : ln -s / mcs
This Cmd will Create a link called mcs in tmp Directory as shown below.
4) Now open the directory "tmp" from Your browser in new tab, like "www.localhost.com/tmp" it should look like this:
5) If You see this link , means you have Created a Root Symlink .
# Getting all the websites on the server
1) Now after creating root symlink ,its time to get all the websites on the server.
So open in your browsers new tab like this
Link :- www.localhost.com/tmp/mcs/var/named
2) This will Give you all the sites on the Server as shown below
# Getting all the users on the Server
1) Fine we got All the websites on server , now we need to get all the users on the server
So again open in your browsers new tab like this
Link :- www.localhost.com/tmp/mcs/var/mail/
2) This will give you all the users on the server as shown below
#Finding the User of the Website
1) After you got all the sites and users on server , Now Select the website , which you wanna take down and find the user of the target ...like suppose if target is "www.mcsh3llz.com" so the user will be "mcs" or something similar to this.
2) To find its very simple, press control+f in your browser at users tab and type the site name slowly mcsh3llz.com and It will highlight the user.
3) Suppose My Target is "www.sexy.la" so my user will be "sexy" as shown below.
4) User is Highlighted .Isnt it very simple.
# Dumping and Reading the Database configs
1) Now we got the user of the Site which we wanna take control ,Its Time to Dump the Database Of the Website and Read the Config Files.
2) So just Open the Link in your Browser, as i shown below
Link :www.localhost.com/tmp/mcs/home/[user]/public_html/
where [user] is the user of website
3) Here My user is "sexy" :) and I got all the files on the site.
4) Now Start looking for the Config file , here mine is wp-config.php in the above Screenshot. Just Click on it and You will get Database Login.
Location of Most Famous CMS config Files
vBulletin -- /includes/config.php
IPB -- /conf_global.php
MyBB -- /inc/config.php
Phpbb -- /config.php
Php Nuke -- /config.php
Php-Fusion -- config.php
SMF -- /Settings.php
Joomla -- configuration.php , configuration.php-dist
WordPress -- /wp-config.php
Drupal -- /sites/default/settings.php
Oscommerce -- /includes/configure.php
e107 -- /e107_config.php
Seditio -- /datas/config.php
#Login into Database
1) Now Just Upload this Database Management php Script i.e dbkiss.php in root folder i.e Public_html
DBKISS
2) open dbkiss.php in your Browser as shown below
www.localhost.com/dbkiss.php
#Change Password From Database
1) Login with the Username and password you got in the Config file
2) Check for users in database there and click on it ..there you will get website Username and password . we have to just edit user_pass column and save it.
Go HERE
3) Hash you password with anything you want in MD5 , then click on edit , Clear the user_pass column and paste your md5 hash there, again click on edit and save it..finally your done.
4) Now Go to the Website admin panel , and login with the new password You created.
#Done.
Also See , How to Upload Shells In Wordpress and Joomla Sites
PART -2
In this part we wont symlink the root directory,
we will symlink the target's public_html dir directly
1) Make a new Dir anything you want and upload this .htaccess file.
.htaccess
2) Run the Cmd in the same dir where you upload .htaccess
Cmd :- ln -s /home/(user)/public_html (user)
where user is the target user.
Now Just Open it in your Browser
link :- www.localhost.com/tmp/[user]
It will look like this ,means i got all the files on the server. Now Start Getting Config File.
In the Above Screen Shot my username was "sexy" .
so click on wp-config.php and get database login details and login with dbkiss.php and change user pass , as i shown you in PART-1.
Method 2 :- Automatic Symlink (With shell)
In Automatic Symlink ,you don't need to find config files ,Execute Commands , DOmains and users Because all The Jobs Done is By Shells :P
So Lets Start ..
1 ) First of all Download Symlink Files HERE
2) Now Open Your Shell ,Make a new dir in root Folder (i.e Public_html) with any name you want ,and upload all the files except "Configs" Folder Files in it.
Again Create a New Folder called "Configs" in Same folder and upload both the files given in the configs folder.
3) Now Run The "php.ini" file first in new tab
Link : http://localhost.com/mcs/php.ini
4)Now Change the Permissions of domain.pl to 0755
4) Now Go to "Configs" folder and change the permissions of "conf.jpg"
to 0755
5 ) Fine , Now You Successfully Setup Symlink Server , Now its time to Execute our Mission :P
6) Now open you Dir in new tab , mine is mcs , so ill open www.site.com/mcs .It will Look like this.
7) Now Click On symsa.php then click on Symlink Bypass it will show all etc/passwd Of all sites on server , Copy it.
Now Open Configs Dir in new tab of your browser, and then Open conf.jpg and Paste all etc/passwd in it, as shown below and click on "Get Config".
8) You are Done :). Now Just Open Config Folder and You will Get All Configs as Shown Below.
Link : http://localhost.com/mcs/configs
9) That's it , You Symlinked The SerVer.
10) Now you got all The Configs . Now open domains.pl in new tab and You will Get all Sites and Users Of Server.
11) Now Just login to database using dbkiss.php, Change the user column from database , as i shown in Method 1 and edit it.
Login to the site admin panel with your new password.
0 comments:
Post a Comment