LinuxQuestions.org - File inclusion vulnerabilities

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - File inclusion vulnerabilities (https://www.linuxquestions.org/questions/linux-security-4/file-inclusion-vulnerabilities-446669/)

coolb

05-20-2006 07:12 AM

File inclusion vulnerabilities

What good would a remote file inclusion(web application that has the vuln) vulnerability(on the hackers side) be to breaking into a computer?
If he had access to /etc/passwd or /etc/shadow he would only have listed the users that exist on the system, not there passwords.

Anyone help me with this?

Capt_Caveman

05-20-2006 08:51 PM

If a remote (or local attacker) can get access to the password hashes in /etc/shadow, they can then perform a offline bruteforce against them using tools like John the Ripper and extract the admin/user passwords from the hashes. These are generally more effective than trying to bruteforce guess username/passwords combos online.

All times are GMT -5. The time now is 02:15 AM.