 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 452
 Members: 0
 Total: 452
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Profiling the target |
|
 Posted: Thu Nov 06, 2008 9:12 am |
 |
|
| na85 |
| Regular user |
 |
| |
| Joined: Jul 13, 2006 |
| Posts: 13 |
|
|
|
 |
|
 |
|
So I have a site where the admin has been AWOL for almost a year now, and I want to try to get admin rights. The problem is that since he's missing and doesn't answer emails, social engineering tricks won't work on him.
I got a hash of a password he uses on another forum, but plain-text.info hasn't cracked it in over a week (not salted) so I assume it's a hella strong password.
I've been trying to get some kind of info on what software he's got installed at the site, but the more I try the more I suspect it's some kind of custom job that he did himself. On the forums for said site he mentions how the buttons on the home page are done using html tables because he doesn't know CSS so it's probably safe to say he's a nub when it comes to coding. That says to me he'll likely have left a hole or two where someone can get in.
The problem is finding those holes... can anyone give me some advice? Is there a particular SQL injection attack I can do that is likely to succeed? |
|
|
|
|
|
|
|
|
| Posted: Thu Nov 06, 2008 9:25 am |
|
|
| na85 |
| Regular user |
|
| |
| Joined: Jul 13, 2006 |
| Posts: 13 |
|
|
|
|
|
|
|
|
|
|
|
|
Re: Profiling the target |
|
| Posted: Thu Nov 06, 2008 11:46 am |
|
|
| x3roconf_ |
| Advanced user |
|
| |
| Joined: May 01, 2008 |
| Posts: 101 |
|
|
|
|
|
|
|
| na85 wrote: | So I have a site where the admin has been AWOL for almost a year now, and I want to try to get admin rights. The problem is that since he's missing and doesn't answer emails, social engineering tricks won't work on him.
I got a hash of a password he uses on another forum, but plain-text.info hasn't cracked it in over a week (not salted) so I assume it's a hella strong password.
I've been trying to get some kind of info on what software he's got installed at the site, but the more I try the more I suspect it's some kind of custom job that he did himself. On the forums for said site he mentions how the buttons on the home page are done using html tables because he doesn't know CSS so it's probably safe to say he's a nub when it comes to coding. That says to me he'll likely have left a hole or two where someone can get in.
The problem is finding those holes... can anyone give me some advice? Is there a particular SQL injection attack I can do that is likely to succeed? |
Is it a shared hosting or dedicated server? If it is a shared hosting then you should look for other vulnerable scripts on the same server. You could give me a link to actual site (via pm) and i will check if there are any vulnerabilitis  |
|
|
|
|
|
|
|
|
| Posted: Thu Nov 06, 2008 12:34 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| I'm agree with x3roconf, going through neighbour website is your best option ... |
|
|
|
|
| Posted: Fri Nov 07, 2008 4:28 am |
|
|
| na85 |
| Regular user |
|
| |
| Joined: Jul 13, 2006 |
| Posts: 13 |
|
|
|
|
|
|
|
Ok for other noobs out there who may read this:
The site I am working on attacking is http://target.site.com, so on waraxe's and x3roconf's advice, I tried http://www.site.com to get another website (likely by the same author).
This one is running what appears to be punBB for its forums (which I discovered by googling for "Forum software" and using wikipedia's list of forums to find one that looks and feels similar to the one on www.site.com.
Then I tried milw0rm to find exploits for punBB.
Still trying to figure out what version of punBB they're running, not sure how. Also I'm not sure what I can do if I hack in to the forums, since I won't know anyone's password (no database access  ) |
|
|
|
|
| Posted: Fri Nov 07, 2008 7:14 am |
|
|
| gyan007 |
| Advanced user |
|
| |
| Joined: Oct 17, 2008 |
| Posts: 106 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Nov 07, 2008 11:47 am |
|
|
| x3roconf_ |
| Advanced user |
|
| |
| Joined: May 01, 2008 |
| Posts: 101 |
|
|
|
|
|
|
|
Ok.. I got target url and i got in (through neighbour site) and i noticed that target is running vulnerable kernel:
Linux [censored] 2.6.18-8.el5 #1 SMP Thu Mar 15 19:57:35 EDT 2007 i686
BUT...
these php functions are disabled:
system,passthru,exec,popen,proc_close,proc_get_st atus,proc_nice,proc_open,proc_terminate,shell_exec ,highlight_file,escapeshellcmd,define_syslog_varia bles,posix_uname,posix_getpwuid,apache_child_termi nate,posix_kill,posix_mkfifo,posix_setpgid,posix_s etsid,posix_setuid,escapeshellarg,posix_uname,ftp_ exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_ fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inj ect_code,syslog,openlog,define_syslog_variables,ap ache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpA ds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDec ode,xmlrpc_entity_decode,fp,fput |
|
|
|
|
|
|
|
|
| Posted: Fri Nov 07, 2008 12:17 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Nov 07, 2008 1:51 pm |
|
|
| x3roconf_ |
| Advanced user |
|
| |
| Joined: May 01, 2008 |
| Posts: 101 |
|
|
|
|
|
|
|
| waraxe wrote: | | What php version? |
php version: 5.2.5
Safe Mode: Off |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
