Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 5, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 350
Members: 0
Total: 350
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> I'm the new admin... now what? Goto page Previous  1, 2
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Fri Jun 01, 2007 8:31 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Koko, your English is fine.

So I realized that I have edit access to all of the plugins, so I figured I would just edit the Hello Dolly plugin since it's not activated.

I go to Plugins -> Plugin Editor. Open up hello.php, take out the contents of hello.php and add the contents of c99shell.php (it's the only shell I have). My problem is that when I click the 'Update File' button to save it I receive a "HTTP Error 406 - Not acceptable" error in my Internet Explorer window. I know I have edit access to that file because I can add comments in it and it will save the changes.

When I try to save it in Firefox I get:
Not Acceptable
An appropriate representation of the requested resource /blog/wp-admin/plugin-editor.php could not be found on this server.

I'm stumped.
View user's profile Send private message Send e-mail
PostPosted: Fri Jun 01, 2007 11:29 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Sorry to keep posting but I keep getting one step further.

I think that I'm receiving these 406 errors because of some mod_security settings on the server. Does this mean that I hit a dead end? All I have is Wordpress Admin, and I can't upload my shells because of the mod_security rules.

Edit: Also, I know that I cna edit the .htaccess file to get around this. But when I try to edit the .htaccess file through the Wordpress File Manager I get the same 406 error that is stopping me from doing everything else.
View user's profile Send private message Send e-mail
PostPosted: Sat Jun 02, 2007 6:02 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Maybe plugin-editor.php mising for security reasons.Try Manage>>Files.
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 12:00 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




I've tried:
- Manage -> Files
- Plugins -> Plugin Editor
- Write -> Post -> Upload

The mod-security rule is affecting all of those. Unless someone has another idea of getting around mod_security I think I'm going to give up on this site and try getting into another. This is just for pracice anyways.
View user's profile Send private message Send e-mail
PostPosted: Sat Jun 02, 2007 1:24 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Pls send me this wordpress on PM.I want to look inside.Thank you.
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 2:57 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




You have access to edit all wordpress files.Yes plugin editot not work,but you may edit every file with manager>>files.I edit the wp-atom.php and put my code in there.You have PM.

P.S.I hope you know basic UNIX commands. Laughing Laughing Laughing
View user's profile Send private message
PostPosted: Sat Jun 02, 2007 3:28 pm Reply with quote
barr0w
Regular user
Regular user
 
Joined: May 30, 2007
Posts: 13




Thank you so much for your help Koko, HAS is a very interesting tool.

UPDATE: Using HAS I was able to make edits to the .htaccess file disabling mod_security. This let me upload my shell. Thanks for the help.
View user's profile Send private message Send e-mail
PostPosted: Sun Jun 03, 2007 2:33 pm Reply with quote
laydback
Beginner
Beginner
 
Joined: Jun 03, 2007
Posts: 1




I made a video tutorial on the admin-ajax vuln.

Check it out --> http://h4ck3d.by.ru/
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 9:24 am Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




barr0w wrote:
So I have write permissions on a ton of .php files.


How do you go about finding which php files you have access to? Did you find a list of php files included in wordpress and just test them one by one?

Also, what is HAS?

Thanks.
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 10:15 am Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




Well.. it looks like I have no access to edit any files within the wordpress installation. Unfortunate. Does this mean that I'm pretty hosed?
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 10:34 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




drag wrote:
Well.. it looks like I have no access to edit any files within the wordpress installation. Unfortunate. Does this mean that I'm pretty hosed?


This means owner lock files for edit.
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 10:50 am Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




Just to make sure I understand, the admin has set the permissions on the files so that the user that the webserver is running doesn't have write access to them?
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 10:53 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Write access from where?From admin panel or from shell?
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 10:59 am Reply with quote
drag
Active user
Active user
 
Joined: May 31, 2007
Posts: 25




my last post should have read:

Just to make sure I understand, the admin has set the permissions on the files so that the user (that the webserver is running under) doesn't have write access to them?
View user's profile Send private message
PostPosted: Mon Jun 18, 2007 11:08 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




You have perms to edit files ONLY when wordpress is installed.Outside you don't have edit perms.
View user's profile Send private message
I'm the new admin... now what?
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 2 of 2  
Goto page Previous  1, 2
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.162 Seconds