Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 39
Members: 0
Total: 39
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> I'm the new admin... now what? Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
I'm the new admin... now what?
PostPosted: Thu May 31, 2007 6:21 am Reply with quote
drag
Active user
Active user
Joined: May 31, 2007
Posts: 25




So I've cracked the MD5 belonging to the Joomla! admin and logged in.. it was all fun. I could deface some pages, but I'd rather get UNIX accounts/resources. What do I do now? I've tried checking to see if the password that I cracked is the same as the one for a UNIX login (I've tried to be clever about guessing the login name). I have the same problem after cracking MD5s for WordPress.

I need some direction. Could someone help?
View user's profile Send private message
PostPosted: Thu May 31, 2007 1:16 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Defase is not goog idea.
Go to Joomla homepage.Download and install joomla on your PC.Study admin panel.Read this forum and find web shells etc.Upload to the server and get more info.Passwords for db,another vhost and etc.Don't be stupid haxor.
View user's profile Send private message
PostPosted: Thu May 31, 2007 1:56 pm Reply with quote
Chb
Valuable expert
Valuable expert
Joined: Jul 23, 2005
Posts: 206
Location: Germany




I agree with koko... Defacing sucks. Damn blackhat stuff...

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Thu May 31, 2007 3:25 pm Reply with quote
drag
Active user
Active user
Joined: May 31, 2007
Posts: 25




I agree as whole heartedly; I'm not interested in defacing. My understanding of web shells is that the attacker needs to get the vulnerable website to unwittingly include the shell into it's code. I guess the jump that I don't understand is using the control panel to make this possible. My guess is that I'd need to upload it as an extension? I'll do some research in the meantime, but any more pointers would be appreciated.

Thanks.
View user's profile Send private message
PostPosted: Thu May 31, 2007 4:35 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level?
Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface Smile
Seems like new advisory is coming out soon Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 31, 2007 7:12 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Quote:
Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface


Well if you have access to admin panel uploading shell is easy,but how to get admin access. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Thu May 31, 2007 7:50 pm Reply with quote
barr0w
Regular user
Regular user
Joined: May 30, 2007
Posts: 13




koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.
View user's profile Send private message Send e-mail
PostPosted: Thu May 31, 2007 7:53 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




barr0w wrote:
koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.


Right now I know two different security holes for getting shell access from Joomla admin interface. But I don't know any legitimate methods Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 31, 2007 10:59 pm Reply with quote
drag
Active user
Active user
Joined: May 31, 2007
Posts: 25




waraxe wrote:
So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level?


Yep.

waraxe wrote:
Right now I know two different security holes for getting shell access from Joomla admin interface.


Public? I'd love to get a good understanding of the holes that you speak of. I don't suppose you could point in the right direction?

As far as, "Well if you have access to admin panel uploading shell is easy." Is the technique to do this as I guessed earlier? Uploading the script as an extension?

Btw, waraxe, thanks for great forum. It seems like a good group of people that are posting here, and I'm really glad I came across it.
View user's profile Send private message
PostPosted: Fri Jun 01, 2007 12:07 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks for positive feedback!
About those "unpublished possibilities" or features in joomla in order to get shell access or upload php scripts through admin interface - I will write advisory soon and then it will be public information. Of course, there are some other security issues too in Joomla, so stay tuned Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jun 01, 2007 5:47 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




barr0w wrote:
koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.


Wordpress:
Plugin>>Plugin manager or editor
If admin forget to close you may edit this plugin and put code in there.
Manager>>File
Couple times admin forget to close for editing index.php.

If everything is close for editing and with blog have forum you may upload shell in cache or avatar directory.

Another way.If wp-content is open to write you may change uploading files and write php in options and when upload a shell.
View user's profile Send private message
PostPosted: Fri Jun 01, 2007 12:31 pm Reply with quote
barr0w
Regular user
Regular user
Joined: May 30, 2007
Posts: 13




Thanks for the direction Koko. I'm going to make attempts today on all of those suggestions.
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 3:25 pm Reply with quote
barr0w
Regular user
Regular user
Joined: May 30, 2007
Posts: 13




Continuing on my quest to upload a shell after I used Waraze's newest Wordpress exploit to gain Wordpress admin access.

So I have write permissions on a ton of .php files.

My idea was you utilize the Write->Write Post->Upload File function to upload a script, but .php extensions are blocked. Does anyone know where the function is that performs the security check? Maybe I can remove .php from the not allow list.

Another idea I have is to simply take one of the existing .php files, delete everything inside it, and copy in my shell's code. For that to work I would need to know a .php file that is useless, I don't want to overwrite functions.php or something else that is used.

What does everyone think?
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 3:54 pm Reply with quote
barr0w
Regular user
Regular user
Joined: May 30, 2007
Posts: 13




I managed to find out where in the functions.php is the allowed upload list. I was able to upload my shell, but when I try to hit it:

http://site/blog/wp-content/uploads/2007/06/shell.php

I get a HTTP Error 406 - Not acceptable.

Any ideas?

Edit: I think simply overwriting the contents of an exisitng Wordpress .php file would be the best thing to do, I just don't want to break the whole installation. Any help would be appreciated.
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 8:02 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Edit some .php file.Copy original code on your PC then put your code.With your code upload shell on server and backup old original code.

P.S.My engl sucksssssssssssssss
View user's profile Send private message
I'm the new admin... now what?
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.048 Seconds