Preparing for the attack
Now, in this scenario the attacker would take the advantage of the PHF exploit and one of the most useful X client to attackers called xterm. Xterm is an utility which is used to start a local command shell while running X. However, by enabling the -display option, the attacker can direct a command line shell to the attacker's X server. Before we move further you might want to take a look at PHF exploit. In order to execute a command on the server the attacker would request for a URL using his browser at port 80 to the target server that looks something like:
http://target's.i.p.address/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
Lets take a closer look at above URL. The URL would execute the command 'cat /etc/passwd' on the remote web server and display the contents of /etc/passwd file to the attacker. Additionally, %20 is used at the place of spaces as %20 is the hex value of space. |