Look at the situation from the attacker's side.
The attacker has a certain goal. Suppose he or she has investigated the target site properly but failed to find any vulnerabilities. The only way to gain full or partial control over the target site is to attack another site on the same hosting server, gain control over that site, and try to access the target site.
The task of obtaining control over the target site is reduced to the task of finding a vulnerable site on the same hosting server and obtaining control over that site.
Although the task of finding and exploiting vulnerabilities in a target site is well described in this book, the task of finding sites on the same server is a challenge.
Many methods for searching for sites on a hosting server are possible in each particular situation.
For example, the attacker can use the following sources of information about the addresses of sites:
The hosting site
The domain name system (DNS) reverse zone
The netcraft database
The cache of a DNS server
Sometimes, hosting providers place information about their clients on pages of their official sites. The attacker is likely to check the hosting provider's official site for the availability of the addresses of the clients ' Web sites.
If the hosting provider's official site is on the same physical server as the target site, the attacker can try to find vulnerabilities in it.
It is easy to find, on which hosting server a particular site is. For example, the attacker can use a whois database. Sending whois queries with the name and IP address of the site, the attacker can obtain information about the owner of the site and the hosting provider.
The IP address can be obtained with the nslookup utility.
Consider an example that returns information about the www.admin.ru site.
The whois query would allow the attacker to suppose that the site is located on the masterhost server. The IP query confirmed this.
These simple actions would allow the attacker to find out that the target site is located on masterhost.ru .
Consider an example that returns information about the hosting server and (in some cases) about other sites on the host.
-bash-2.05b$ nslookup www.pautinka.ru Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: pautinka.ru Address: 184.108.40.206 Aliases: www.pautinka.ru -bash-2.05b$ nslookup 220.127.116.11 Server: localhost Address: 127.0.0.1 Name: asp.z8.ru Address: 18.104.22.168 -bash-2.05b$
Thus, the attacker would obtain the URL of another site on the same physical server.
Sometimes, a search for sites with the same IP address (located on the same physical server) can return interesting results.
For example, the attacker can search by the following:
The IP address of the target site
The name and address of the target site's provider
The name and address of the target site
The probability of obtaining the needed information is small, but there is a chance.
The netcraft.com database stores statistics about various sites that can be interesting for the attacker. In particular, an attacker can learn from the netcraft database which IP network contains the IP address of the provider. Then he or she can obtain the addresses of all sites belonging to this network.
If a few servers have identical or similar features, the attacker can guess, which IP addresses are aliases of the main IP address of one server.
For example, send the following request:
This will reveal the IP network that contains the IP address of www.mail.ru. This is MAILRU-NET2,22.214.171.124,126.96.36.199.
The next request, http://uptime.netcraft.com/up/hosted?netname=MAILRU-NET.2,188.8.131.52,184.108.40.206, will return a list of sites known to net-craft that have the IP addresses from the same network.
If the attacker can access the cache of a large DNS server, he or she can try to obtain a list of sites that have the same IP address as the target site.
If the attacker can read the configuration file of the HTTP server on the server that hosts the target site, he or she can obtain a fairly precise list of sites located on the same server. However, I'm describing a situation, in which the attacker cannot access the server's internals.
If the attacker fails to find a site located on the same server as the target site, or if he or she fails to find vulnerabilities on the found sites and cannot obtain privileges on the target server, he or she can take another step. The attacker can create his or her site in the same hosting company as the target site. Depending on the hosting company, it is likely that the attacker's site will be located on the same physical server as the target site.
Therefore, the attacker will be able to take all of the steps described earlier to obtain control over the target server.
In this case, the cost of breakage for the attacker will be equal to the rental cost of disk space (possibly, support for PHP or Perl scripts and a database will be required).