Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 112
Members: 0
Total: 112
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> What can I do with this?
Post new topicReply to topic View previous topic :: View next topic
What can I do with this?
PostPosted: Sun Jul 20, 2008 12:30 am Reply with quote
pZourk
Regular user
Regular user
Joined: Jun 30, 2008
Posts: 8




A site has a file upload cgi script. I am able to upload anything to http://www.example.com/dropbox/files/ (I know of no way to specify the output folder) but also delete any file from example.com and all subfolders (It is on shared hosting, so I can go no higher than the public_html). I have tried uploading php files, but when I try to run them, I get a 500 server error.
I know I could just cause havok, but I am most interested in getting passwords from their phpbb 2.0.20 forum at http://www.example.com/forum/
Any suggestion of how I can accomplish this?
Thanks.
View user's profile Send private message
PostPosted: Sun Jul 20, 2008 12:47 am Reply with quote
gibbocool
Advanced user
Advanced user
Joined: Jan 22, 2008
Posts: 208




So any php file you upload gives 500 error?
Do other php files already on the server work?
Maybe the default permissions don't allow you to run the files.

Otherwise try and make a cgi script that will read the phpbb config file and output it.

_________________
http://www.gibbocool.com
View user's profile Send private message Visit poster's website
PostPosted: Sun Jul 20, 2008 12:53 am Reply with quote
pZourk
Regular user
Regular user
Joined: Jun 30, 2008
Posts: 8




The only working php files on the site are not in the upload folder. The only ones ever in there are ones I hav tried uploading. I had not thought of using cgi. I will try that.

UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.)
I have also determined that the upload cgi being used is the same as described here.
View user's profile Send private message
PostPosted: Sun Jul 20, 2008 1:28 am Reply with quote
mge
Valuable expert
Valuable expert
Joined: Jul 16, 2008
Posts: 142




uploading and executing .cgi scripts most likely won't work because they won't have the right permission to be executed by the webserver (chmod 755).

come to think of it, what you COULD do is look for a .cgi file that has 777 and try to overwrite it. don't delete it or the 777 permission will be lost. however, as it replaces the old file i would be careful with that option of course.

is it possible to upload outside of the upload folder? i suspect the webmaster has disabled php execution there.
View user's profile Send private message
PostPosted: Sun Jul 20, 2008 2:00 am Reply with quote
pZourk
Regular user
Regular user
Joined: Jun 30, 2008
Posts: 8




mge wrote:
is it possible to upload outside of the upload folder? i suspect the webmaster has disabled php execution there.
That's exactly my problem. I cannot.
If I was able to, I would have those passwords a long time ago. Twisted Evil
View user's profile Send private message
PostPosted: Sun Jul 20, 2008 3:13 am Reply with quote
mge
Valuable expert
Valuable expert
Joined: Jul 16, 2008
Posts: 142




i have an idea for the following case:

1) the file name in itself stays the same when uploading (e.g. you are uploading "sample.php" from your local disk and it keeps the name)
2) the upload script doesn't replace or remove dots (.) and slashes (/) in the file name
3) the directory above (or one of them) is writable for the web server

if all of the above match you could try forging a POST request. in submitting the form you post not only the content but also the file name (how else would it know which name to keep?)
so if you just add a "../" in front of it - or maybe use an absolute path altogether, it might work.

i just tested it with a simple upload CGI on my local server.

edit: if it's really that perlscriptsjavascripts.com script they are using, it won't work.
Code:
# get the file name, this removes everything up to and including the
# last slash found ( be it a forward or back slash )
$fileName =~ s/^.*(\\|\/)//;

i don't have any other idea for now, sorry Sad would have been a stretch anyway to find a world-writable directory with permission to execute php Wink
View user's profile Send private message
PostPosted: Mon Jul 21, 2008 11:37 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try to upload .htaccess with this inside
AddType application/x-httpd-php .html

Then put in some .txt file php code and rename to .html and upload on server.
View user's profile Send private message
PostPosted: Mon Jul 21, 2008 3:07 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Couldn't you write yourself a CGI script and hope that CGI is not locked to the cgi-bin?


Last edited by lenny on Wed Jul 23, 2008 12:39 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Mon Jul 21, 2008 5:13 pm Reply with quote
mge
Valuable expert
Valuable expert
Joined: Jul 16, 2008
Posts: 142




@lenny:

pZourk wrote:
UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.)


Smile
View user's profile Send private message
PostPosted: Mon Jul 21, 2008 7:19 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




mge wrote:
@lenny:

pZourk wrote:
UPDATE:
I tried cgi and recieved the same error I get with php files. (500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request.)


Smile


Laughing Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Tue Jul 22, 2008 3:59 am Reply with quote
pZourk
Regular user
Regular user
Joined: Jun 30, 2008
Posts: 8




.htaccess is renamed to 1.htaccess
Thank you for the help though.
View user's profile Send private message
PostPosted: Wed Jul 23, 2008 12:02 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Sorry, i hadnt noticed Confused

Anyway, did you manage to pull off any exploit... or are you calling it quits?
View user's profile Send private message
PostPosted: Thu Jul 24, 2008 11:11 pm Reply with quote
pZourk
Regular user
Regular user
Joined: Jun 30, 2008
Posts: 8




I think I will call it quits on this one. The best I have gotten there is access to a user that can only see some 'secret' subforums, which is how I found out about the file uploader. Once again thanks.
View user's profile Send private message
What can I do with this?
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds