 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Fri Jun 01, 2007 8:31 pm |
 |
|
| barr0w |
| Regular user |
 |
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
 |
|
 |
|
Koko, your English is fine.
So I realized that I have edit access to all of the plugins, so I figured I would just edit the Hello Dolly plugin since it's not activated.
I go to Plugins -> Plugin Editor. Open up hello.php, take out the contents of hello.php and add the contents of c99shell.php (it's the only shell I have). My problem is that when I click the 'Update File' button to save it I receive a "HTTP Error 406 - Not acceptable" error in my Internet Explorer window. I know I have edit access to that file because I can add comments in it and it will save the changes.
When I try to save it in Firefox I get:
Not Acceptable
An appropriate representation of the requested resource /blog/wp-admin/plugin-editor.php could not be found on this server.
I'm stumped. |
|
|
|
|
|
 |
|
 |
| Posted: Fri Jun 01, 2007 11:29 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
Sorry to keep posting but I keep getting one step further.
I think that I'm receiving these 406 errors because of some mod_security settings on the server. Does this mean that I hit a dead end? All I have is Wordpress Admin, and I can't upload my shells because of the mod_security rules.
Edit: Also, I know that I cna edit the .htaccess file to get around this. But when I try to edit the .htaccess file through the Wordpress File Manager I get the same 406 error that is stopping me from doing everything else. |
|
|
|
|
| Posted: Sat Jun 02, 2007 6:02 am |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Maybe plugin-editor.php mising for security reasons.Try Manage>>Files. |
|
|
|
|
| Posted: Sat Jun 02, 2007 12:00 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
I've tried:
- Manage -> Files
- Plugins -> Plugin Editor
- Write -> Post -> Upload
The mod-security rule is affecting all of those. Unless someone has another idea of getting around mod_security I think I'm going to give up on this site and try getting into another. This is just for pracice anyways. |
|
|
|
|
| Posted: Sat Jun 02, 2007 1:24 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Pls send me this wordpress on PM.I want to look inside.Thank you. |
|
|
|
|
| Posted: Sat Jun 02, 2007 2:57 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
You have access to edit all wordpress files.Yes plugin editot not work,but you may edit every file with manager>>files.I edit the wp-atom.php and put my code in there.You have PM.
P.S.I hope you know basic UNIX commands.  |
|
|
|
|
| Posted: Sat Jun 02, 2007 3:28 pm |
|
|
| barr0w |
| Regular user |
|
|
| Joined: May 30, 2007 |
| Posts: 13 |
|
|
|
|
|
|
|
Thank you so much for your help Koko, HAS is a very interesting tool.
UPDATE: Using HAS I was able to make edits to the .htaccess file disabling mod_security. This let me upload my shell. Thanks for the help. |
|
|
|
|
| Posted: Sun Jun 03, 2007 2:33 pm |
|
|
| laydback |
| Beginner |
|
|
| Joined: Jun 03, 2007 |
| Posts: 1 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Jun 18, 2007 9:24 am |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
| barr0w wrote: | | So I have write permissions on a ton of .php files. |
How do you go about finding which php files you have access to? Did you find a list of php files included in wordpress and just test them one by one?
Also, what is HAS?
Thanks. |
|
|
|
|
| Posted: Mon Jun 18, 2007 10:15 am |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
| Well.. it looks like I have no access to edit any files within the wordpress installation. Unfortunate. Does this mean that I'm pretty hosed? |
|
|
|
|
| Posted: Mon Jun 18, 2007 10:34 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| drag wrote: | | Well.. it looks like I have no access to edit any files within the wordpress installation. Unfortunate. Does this mean that I'm pretty hosed? |
This means owner lock files for edit. |
|
|
|
|
| Posted: Mon Jun 18, 2007 10:50 am |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
| Just to make sure I understand, the admin has set the permissions on the files so that the user that the webserver is running doesn't have write access to them? |
|
|
|
|
| Posted: Mon Jun 18, 2007 10:53 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Write access from where?From admin panel or from shell? |
|
|
|
|
| Posted: Mon Jun 18, 2007 10:59 am |
|
|
| drag |
| Active user |
|
|
| Joined: May 31, 2007 |
| Posts: 25 |
|
|
|
|
|
|
|
my last post should have read:
Just to make sure I understand, the admin has set the permissions on the files so that the user (that the webserver is running under) doesn't have write access to them? |
|
|
|
|
| Posted: Mon Jun 18, 2007 11:08 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| You have perms to edit files ONLY when wordpress is installed.Outside you don't have edit perms. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 2
Goto page Previous1, 2
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 207
Members: 0
Total: 207
