simple risk analysis of shared host server

Posted by punzalan at 2020-03-28

The target audience of this article is server administrator, website administrator, security enthusiast and professional information security personnel. It mainly analyzes some risks of a host server.

Let's look at some reasons why your website is not so secure on a shared hosting server:

1. If any website on the server is broken, other websites may also be broken;

2. Malicious attack users can purchase virtual hosts from host providers, and then invade other websites on the same server;

3. The virtual host does not have sufficient permission to set the security reinforcement of Apache and mysql;

From this article, I hope to let you know some common hacking ideas, so as to better maintain your server security.

Reverse IP lookup

This is one of the things that must be done in the information collection stage. It can quickly obtain the list of other websites on the server by searching for IP, so as to prepare for the penetration test in the future.

There are several different ways to reverse IP lookup:

a. Through free service websites

b. Using dig tool in Linux Environment

Usage: dig – x < IP address > + short


[email protected]:~/pentest/$ dig -x +short

Here is a short shell script that will receive an IP parameter to list all domain names on the server

#!/bin/bashNET=$1for n in $(seq 1 254); doADDR=${NET}.${n}echo -e “${ADDR}\t$(dig -x ${ADDR} +short)”donechmod +x

./ <IP Address>

c. Use search engine to get domain name list;

Find the CMS program running on the server

Many web sites are modified by CMS program, or secondary development, which is convenient for the production of Web sites and so on. However, some common CMS often have some security vulnerabilities. If there are different CMS on the same server, the security wind direction of the server will be relatively large.

Simply check the source code of the homepage of the website on the server, the robotxs.txt file, the ur column address rules such as registration and login, and it is easy to distinguish which kind of whole station CMS program is used. For example:

< meta name = "generator" content = "WordPress 3.5.1" / > WordPress home page meta tag

<meta name="generator" content="Joomla! 1.5 - Open Source Content Management" /> Joomla首页meta标签 这样通过结合IP反向查找,来列出服务器上使用的所有cms列表。下面有一个perl脚本,可以接收一个ip参数,列出该IP上运行的所有cms.是一个简单的cms指纹识别程序,可以通过增加更多的cms类型特征来判断更多的cms程序。 入侵已知的CMS程序 可以通过,,exploit-db.com来查找已知cms的0day等等。假如发现服务器上有运行wordpress,我们可以使用wpscan来入侵渗透: 1,列出wordpress使用的所有插件名称; 2,列出wordpress使用的主题名称; 3,程序主题中是否有使用TimThumbs等; 4,枚举所有的用户名; 如果wordpress后台登录未使用额外的验证信息, 很容易可以通过wpscan来暴力破解一些简单的密码: 登录后台之后,可以通过主题上传安装来轻易的获取webshell。wordpress可以允许上传zip格式的主题进行安装,降一句话或者进行加密处理过的webshell拷贝到主题目录,然后重新压缩成zip格式,上传之后进行安装,webshell路径就是:wp-content/themes/主题名称/xxx.php. php webshell往往有使用system(),shell_exec(), exec()等常见的一些系统功能函数,如果这些没有在系统上进行加固设置,是可以执行一些简单的linux命令的:

Uname – a

Linux studio4 2.6.18-274.12.1.el5 #1 SMP Tue Nov 29 13:37:46 EST 2011 x86_64 x86_64 x86_64 GNU/Linux


uid=48(apache) gid=48(apache) groups=48(apache)

Cat /etc/passwd

/Etc / passwd is readable by default, so even without root permission, all user names and other information on the server can be known through this file.


Through a shared host server, different websites have corresponding users and root directories, and the files of the corresponding websites will exist in their own directories.


This file stores the mapping between the names of user accounts in all web sites running on the server and their corresponding / etc / passwd files. Assuming that the attacker knows that the server has the website through reverse IP lookup, but the attacker does not know which user the ownership of the website belongs to, the user information corresponding to the website can be viewed by using the following command.

ls /etc/valiases/ -rw-r—– 1 bruce Mar 9 16:14 /etc/valiases/