Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 5, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 337
Members: 0
Total: 337
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> I'm the new admin... now what? Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
I'm the new admin... now what?
PostPosted: Thu May 31, 2007 6:21 am Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




So I've cracked the MD5 belonging to the Joomla! admin and logged in.. it was all fun. I could deface some pages, but I'd rather get UNIX accounts/resources. What do I do now? I've tried checking to see if the password that I cracked is the same as the one for a UNIX login (I've tried to be clever about guessing the login name). I have the same problem after cracking MD5s for WordPress.

I need some direction. Could someone help?
View user's profile Send private message
PostPosted: Thu May 31, 2007 1:16 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Defase is not goog idea.
Go to Joomla homepage.Download and install joomla on your PC.Study admin panel.Read this forum and find web shells etc.Upload to the server and get more info.Passwords for db,another vhost and etc.Don't be stupid haxor.
View user's profile Send private message
PostPosted: Thu May 31, 2007 1:56 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




I agree with koko... Defacing sucks. Damn blackhat stuff...

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Thu May 31, 2007 3:25 pm Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




I agree as whole heartedly; I'm not interested in defacing. My understanding of web shells is that the attacker needs to get the vulnerable website to unwittingly include the shell into it's code. I guess the jump that I don't understand is using the control panel to make this possible. My guess is that I'd need to upload it as an extension? I'll do some research in the meantime, but any more pointers would be appreciated.

Thanks.
View user's profile Send private message
PostPosted: Thu May 31, 2007 4:35 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level?
Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface Smile
Seems like new advisory is coming out soon Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 31, 2007 7:12 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Quote:
Well, just ten minutes ago i played little bit with joomla 1.0.12 installation and got an easy way to have shell access from joomla admin interface


Well if you have access to admin panel uploading shell is easy,but how to get admin access. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Thu May 31, 2007 7:50 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.
View user's profile Send private message Send e-mail
PostPosted: Thu May 31, 2007 7:53 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




barr0w wrote:
koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.


Right now I know two different security holes for getting shell access from Joomla admin interface. But I don't know any legitimate methods Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu May 31, 2007 10:59 pm Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




waraxe wrote:
So can I understand it right - you want to escalate your access level from joomla or wordpress admin to webserver shell level?


Yep.

waraxe wrote:
Right now I know two different security holes for getting shell access from Joomla admin interface.


Public? I'd love to get a good understanding of the holes that you speak of. I don't suppose you could point in the right direction?

As far as, "Well if you have access to admin panel uploading shell is easy." Is the technique to do this as I guessed earlier? Uploading the script as an extension?

Btw, waraxe, thanks for great forum. It seems like a good group of people that are posting here, and I'm really glad I came across it.
View user's profile Send private message
PostPosted: Fri Jun 01, 2007 12:07 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks for positive feedback!
About those "unpublished possibilities" or features in joomla in order to get shell access or upload php scripts through admin interface - I will write advisory soon and then it will be public information. Of course, there are some other security issues too in Joomla, so stay tuned Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Jun 01, 2007 5:47 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




barr0w wrote:
koko wrote:

Well if you have access to admin panel uploading shell is easy


What about uploading shell with Wordpress admin access. I've done some searching and haven't really found anything that makes me believe it's possible. Only thing I can think of is find the full path to get the unix accounts home directory, hope the user name is the same as the dir, and then hope that the Wordpress admin password is the same as the Unix account password.


Wordpress:
Plugin>>Plugin manager or editor
If admin forget to close you may edit this plugin and put code in there.
Manager>>File
Couple times admin forget to close for editing index.php.

If everything is close for editing and with blog have forum you may upload shell in cache or avatar directory.

Another way.If wp-content is open to write you may change uploading files and write php in options and when upload a shell.
View user's profile Send private message
PostPosted: Fri Jun 01, 2007 12:31 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Thanks for the direction Koko. I'm going to make attempts today on all of those suggestions.
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 3:25 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Continuing on my quest to upload a shell after I used Waraze's newest Wordpress exploit to gain Wordpress admin access.

So I have write permissions on a ton of .php files.

My idea was you utilize the Write->Write Post->Upload File function to upload a script, but .php extensions are blocked. Does anyone know where the function is that performs the security check? Maybe I can remove .php from the not allow list.

Another idea I have is to simply take one of the existing .php files, delete everything inside it, and copy in my shell's code. For that to work I would need to know a .php file that is useless, I don't want to overwrite functions.php or something else that is used.

What does everyone think?
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 3:54 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




I managed to find out where in the functions.php is the allowed upload list. I was able to upload my shell, but when I try to hit it:

http://site/blog/wp-content/uploads/2007/06/shell.php

I get a HTTP Error 406 - Not acceptable.

Any ideas?

Edit: I think simply overwriting the contents of an exisitng Wordpress .php file would be the best thing to do, I just don't want to break the whole installation. Any help would be appreciated.
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 8:02 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Edit some .php file.Copy original code on your PC then put your code.With your code upload shell on server and backup old original code.

P.S.My engl sucksssssssssssssss
View user's profile Send private message
I'm the new admin... now what?
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.163 Seconds