 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 104
 Members: 0
 Total: 104
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
I'm the new admin... now what? |
|
 Posted: Thu May 31, 2007 6:21 am |
 |
|
| drag |
| Active user |
 |
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
 |
|
 |
|
So I've cracked the MD5 belonging to the Joomla! admin and logged in.. it was all fun. I could deface some pages, but I'd rather get UNIX accounts/resources. What do I do now? I've tried checking to see if the password that I cracked is the same as the one for a UNIX login (I've tried to be clever about guessing the login name). I have the same problem after cracking MD5s for WordPress.
I need some direction. Could someone help? |
|
|
|
|
| Posted: Thu May 31, 2007 1:16 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Defase is not goog idea.
Go to Joomla homepage.Download and install joomla on your PC.Study admin panel.Read this forum and find web shells etc.Upload to the server and get more info.Passwords for db,another vhost and etc.Don't be stupid haxor. |
|
|
|
|
| Posted: Thu May 31, 2007 1:56 pm |
|
|
| Chb |
| Valuable expert |
 |
|
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
| I agree with koko... Defacing sucks. Damn blackhat stuff... |
|
|
|
|
| Posted: Thu May 31, 2007 3:25 pm |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
I agree as whole heartedly; I'm not interested in defacing. My understanding of web shells is that the attacker needs to get the vulnerable website to unwittingly include the shell into it's code. I guess the jump that I don't understand is using the control panel to make this possible. My guess is that I'd need to upload it as an extension? I'll do some research in the meantime, but any more pointers would be appreciated.
Thanks. |
|
|
|
|
| Posted: Thu May 31, 2007 4:35 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level?
Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface 
Seems like new advisory is coming out soon  |
|
|
|
|
| Posted: Thu May 31, 2007 7:12 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Quote: | | Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface |
Well if you have access to admin panel uploading shell is easy,but how to get admin access.  |
|
|
|
|
| Posted: Thu May 31, 2007 7:50 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
| koko wrote: |
Well if you have access to admin panel uploading shell is easy |
What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password. |
|
|
|
|
|
|
|
|
| Posted: Thu May 31, 2007 7:53 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| barr0w wrote: | | koko wrote: |
Well if you have access to admin panel uploading shell is easy |
What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password. |
Right now I know two different security holes for getting shell access from Joomla admin interface. But I don't know any legitimate methods |
|
|
|
|
|
|
|
|
| Posted: Thu May 31, 2007 10:59 pm |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
| waraxe wrote: | | So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level? |
Yep.
| waraxe wrote: | | Right now I know two different security holes for getting shell access from Joomla admin interface. |
Public? I'd love to get a good understanding of the holes that you speak of. I don't suppose you could point in the right direction?
As far as, "Well if you have access to admin panel uploading shell is easy." Is the technique to do this as I guessed earlier? Uploading the script as an extension?
Btw, waraxe, thanks for great forum. It seems like a good group of people that are posting here, and I'm really glad I came across it. |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 01, 2007 12:07 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Thanks for positive feedback!
About those "unpublished possibilities" or features in joomla in order to get shell access or upload php scripts through admin interface - I will write advisory soon and then it will be public information. Of course, there are some other security issues too in Joomla, so stay tuned |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 01, 2007 5:47 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| barr0w wrote: | | koko wrote: |
Well if you have access to admin panel uploading shell is easy |
What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password. |
Wordpress:
Plugin>>Plugin manager or editor
If admin forget to close you may edit this plugin and put code in there.
Manager>>File
Couple times admin forget to close for editing index.php.
If everything is close for editing and with blog have forum you may upload shell in cache or avatar directory.
Another way.If wp-content is open to write you may change uploading files and write php in options and when upload a shell. |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 01, 2007 12:31 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
| Thanks for the direction Koko. I'm going to make attempts today on all of those suggestions. |
|
|
|
|
| Posted: Fri Jun 01, 2007 3:25 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
Continuing on my quest to upload a shell after I used Waraze's newest Wordpress exploit to gain Wordpress admin access.
So I have write permissions on a ton of .php files.
My idea was you utilize the Write->Write Post->Upload File function to upload a script, but .php extensions are blocked. Does anyone know where the function is that performs the security check? Maybe I can remove .php from the not allow list.
Another idea I have is to simply take one of the existing .php files, delete everything inside it, and copy in my shell's code. For that to work I would need to know a .php file that is useless, I don't want to overwrite functions.php or something else that is used.
What does everyone think? |
|
|
|
|
|
|
|
|
| Posted: Fri Jun 01, 2007 3:54 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
I managed to find out where in the functions.php is the allowed upload list. I was able to upload my shell, but when I try to hit it:
http://site/blog/wp-content/uploads/2007/06/shell.php
I get a HTTP Error 406 - Not acceptable.
Any ideas?
Edit: I think simply overwriting the contents of an exisitng Wordpress .php file would be the best thing to do, I just don't want to break the whole installation. Any help would be appreciated. |
|
|
|
|
| Posted: Fri Jun 01, 2007 8:02 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Edit some .php file.Copy original code on your PC then put your code.With your code upload shell on server and backup old original code.
P.S.My engl sucksssssssssssssss |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
