Waraxe IT Security Portal
Login or Register
November 15, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 82
Members: 0
Total: 82
Full disclosure
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> Profiling the target
Post new topicReply to topic View previous topic :: View next topic
Profiling the target
PostPosted: Thu Nov 06, 2008 9:12 am Reply with quote
na85
Regular user
Regular user
Joined: Jul 13, 2006
Posts: 13




So I have a site where the admin has been AWOL for almost a year now, and I want to try to get admin rights. The problem is that since he's missing and doesn't answer emails, social engineering tricks won't work on him.

I got a hash of a password he uses on another forum, but plain-text.info hasn't cracked it in over a week (not salted) so I assume it's a hella strong password.

I've been trying to get some kind of info on what software he's got installed at the site, but the more I try the more I suspect it's some kind of custom job that he did himself. On the forums for said site he mentions how the buttons on the home page are done using html tables because he doesn't know CSS so it's probably safe to say he's a nub when it comes to coding. That says to me he'll likely have left a hole or two where someone can get in.

The problem is finding those holes... can anyone give me some advice? Is there a particular SQL injection attack I can do that is likely to succeed?
View user's profile Send private message
PostPosted: Thu Nov 06, 2008 9:25 am Reply with quote
na85
Regular user
Regular user
Joined: Jul 13, 2006
Posts: 13




The forums are the same as the ones on http://sports.flakhabit.com/forum/index.php (i'm trying to avoid posting the actual site I'm trying to hit... can I do that?)
View user's profile Send private message
Re: Profiling the target
PostPosted: Thu Nov 06, 2008 11:46 am Reply with quote
x3roconf_
Advanced user
Advanced user
Joined: May 01, 2008
Posts: 101




na85 wrote:
So I have a site where the admin has been AWOL for almost a year now, and I want to try to get admin rights. The problem is that since he's missing and doesn't answer emails, social engineering tricks won't work on him.

I got a hash of a password he uses on another forum, but plain-text.info hasn't cracked it in over a week (not salted) so I assume it's a hella strong password.

I've been trying to get some kind of info on what software he's got installed at the site, but the more I try the more I suspect it's some kind of custom job that he did himself. On the forums for said site he mentions how the buttons on the home page are done using html tables because he doesn't know CSS so it's probably safe to say he's a nub when it comes to coding. That says to me he'll likely have left a hole or two where someone can get in.

The problem is finding those holes... can anyone give me some advice? Is there a particular SQL injection attack I can do that is likely to succeed?


Is it a shared hosting or dedicated server? If it is a shared hosting then you should look for other vulnerable scripts on the same server. You could give me a link to actual site (via pm) and i will check if there are any vulnerabilitis Smile
View user's profile Send private message
PostPosted: Thu Nov 06, 2008 12:34 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I'm agree with x3roconf, going through neighbour website is your best option ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Nov 07, 2008 4:28 am Reply with quote
na85
Regular user
Regular user
Joined: Jul 13, 2006
Posts: 13




Ok for other noobs out there who may read this:

The site I am working on attacking is http://target.site.com, so on waraxe's and x3roconf's advice, I tried http://www.site.com to get another website (likely by the same author).

This one is running what appears to be punBB for its forums (which I discovered by googling for "Forum software" and using wikipedia's list of forums to find one that looks and feels similar to the one on www.site.com.

Then I tried milw0rm to find exploits for punBB.

Still trying to figure out what version of punBB they're running, not sure how. Also I'm not sure what I can do if I hack in to the forums, since I won't know anyone's password (no database access Sad )
View user's profile Send private message
PostPosted: Fri Nov 07, 2008 7:14 am Reply with quote
gyan007
Advanced user
Advanced user
Joined: Oct 17, 2008
Posts: 106




http://www.myipneighbors.com/

Shared host?=P

Might be a couple servers though.
View user's profile Send private message
PostPosted: Fri Nov 07, 2008 11:47 am Reply with quote
x3roconf_
Advanced user
Advanced user
Joined: May 01, 2008
Posts: 101




Ok.. I got target url and i got in (through neighbour site) and i noticed that target is running vulnerable kernel:
Linux [censored] 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686

BUT...

these php functions are disabled:

system,passthru,exec,popen,proc_close,proc_get_st atus,proc_nice,proc_open,proc_terminate,shell_exec ,highlight_file,escapeshellcmd,define_syslog_varia bles,posix_uname,posix_getpwuid,apache_child_termi nate,posix_kill,posix_mkfifo,posix_setpgid,posix_s etsid,posix_setuid,escapeshellarg,posix_uname,ftp_ exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_ fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inj ect_code,syslog,openlog,define_syslog_variables,ap ache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpA ds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDec ode,xmlrpc_entity_decode,fp,fput
View user's profile Send private message
PostPosted: Fri Nov 07, 2008 12:17 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




What php version?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Nov 07, 2008 1:51 pm Reply with quote
x3roconf_
Advanced user
Advanced user
Joined: May 01, 2008
Posts: 101




waraxe wrote:
What php version?


php version: 5.2.5
Safe Mode: Off
View user's profile Send private message
Profiling the target
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds