Autor
|
Tema: Hack my server II (Leído 87,660 veces)
|
dimitrix
|
Yo ya me quede como la mayoría, no hay dir con permisos para subir shell por SQLi el SSH no tiene nada por defecto y por el puerto 10000 no mire mucho pero a saber si tiene algo...
Esta noche activo los permisos (como tendria un WP real) en las carpetas... 10000... webmin os espera...
!drvy puedes confirmar?
xustyx un deface es algo facil... se busca el root...
|
|
|
En línea
|
|
|
|
MinusFour
|
Por cierto para el que haya encontrado alguna vulnerabilidad de wordpress, si viene con permisos por default el proceso de apache no va a permitir escribir a la carpeta de www así que si intentan subir una shell por ahí ni lo intenten. Lo que podrían hacer si encontraron una vulnerabilidad es usar shell_exec...
Para el que no se haya dado cuenta O.o esto es wordpress 2.0... estoy seguro que debe haber muchas vulnerabilidades....
WordPress Version 2.0
|
|
|
En línea
|
|
|
|
#!drvy
|
Que Lammer urruina juego! No siguió las reglas.
pffffffffff... Fui yo por hacer la gracia xD No he rooteado ni nada, fue inyeccion de HTML en uno de los post.. Saludos
|
|
|
En línea
|
|
|
|
Baal_30
Desconectado
Mensajes: 248
|
¿Como podría averiguar la versión del webmin?
|
|
|
En línea
|
«La suerte es el cuidado de los detalles». -Winston Churchill
|
|
|
#!drvy
|
→ nmap -sV ########### Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-01 16:07 CEST Nmap scan report for ######### (#########) Host is up (0.18s latency). rDNS record for ######: ####### Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) 53/tcp open domain 80/tcp open http Apache httpd 2.4.6 ((Ubuntu)) 445/tcp filtered microsoft-ds 10000/tcp open http MiniServ 1.690 (Webmin httpd)
Saludos
|
|
|
En línea
|
|
|
|
dimitrix
|
WordPress Version 2.0
Exacto, la 2.0 con la ayuda de Peibol consegui una lista de versiones viejas xD Ganate unos puntitos explicado como sabes que es la 2.0.
|
|
|
En línea
|
|
|
|
dRak0
|
http://WEB/wp-includes/ FPD function wp_handle_upload(&$file, $overrides = false) { // The default error handler. function wp_handle_upload_error(&$file, $message) { return array('error'=>$message); } } // You may define your own function and pass the name in $overrides['upload_error_handler'] $upload_error_handler = 'wp_handle_upload_error'; // $_POST['action'] must be set and its value must equal $overrides['action'] or this: $action = 'wp_handle_upload'; // Courtesy of php.net, the strings that describe the error indicated in $_FILES[{form field}]['error']. $upload_error_strings = array(false, __("The uploaded file exceeds the <code>upload_max_filesize</code> directive in <code>php.ini</code>."), __("The uploaded file exceeds the <em>MAX_FILE_SIZE</em> directive that was specified in the HTML form."), __("The uploaded file was only partially uploaded."), __("No file was uploaded."), __("Missing a temporary folder."), __("Failed to write file to disk.")); // Accepted MIME types are set here as PCRE. Override with $override['mimes']. $mimes = apply_filters ('upload_mimes', array ( 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', 'png' => 'image/png', 'bmp' => 'image/bmp', 'tif|tiff' => 'image/tiff', 'ico' => 'image/x-icon', 'asf|asx|wax|wmv|wmx' => 'video/asf', 'avi' => 'video/avi', 'mov|qt' => 'video/quicktime', 'mpeg|mpg|mpe' => 'video/mpeg', 'txt|c|cc|h' => 'text/plain', 'rtx' => 'text/richtext', 'css' => 'text/css', 'htm|html' => 'text/html', 'mp3|mp4' => 'audio/mpeg', 'ra|ram' => 'audio/x-realaudio', 'wav' => 'audio/wav', 'ogg' => 'audio/ogg', 'mid|midi' => 'audio/midi', 'wma' => 'audio/wma', 'rtf' => 'application/rtf', 'js' => 'application/javascript', 'pdf' => 'application/pdf', 'doc' => 'application/msword', 'pot|pps|ppt' => 'application/vnd.ms-powerpoint', 'wri' => 'application/vnd.ms-write', 'xla|xls|xlt|xlw' => 'application/vnd.ms-excel', 'mdb' => 'application/vnd.ms-access', 'mpp' => 'application/vnd.ms-project', 'swf' => 'application/x-shockwave-flash', 'class' => 'application/java', 'tar' => 'application/x-tar', 'zip' => 'application/zip', 'gz|gzip' => 'application/x-gzip', 'exe' => 'application/x-msdownload' )); // All tests are on by default. Most can be turned off by $override[{test_name}] = false; $test_form = true; $test_size = true; // If you override this, you must provide $ext and $type!!!! $test_type = true; // Install user overrides. Did we mention that this voids your warranty? extract($overrides, EXTR_OVERWRITE ); // A correct form post will pass this test. if ( $test_form && (!isset($_POST['action']) || ($_POST['action'] != $action)) ) return $upload_error_handler($file, __('Invalid form submission.')); // A successful upload will pass this test. It makes no sense to override this one. if ( $file['error'] > 0 ) return $upload_error_handler($file, $upload_error_strings[$file['error']]); // A non-empty file will pass this test. if ( $test_size && !($file['size'] > 0) ) return $upload_error_handler($file, __('File is empty. Please upload something more substantial.')); // A properly uploaded file will pass this test. There should be no reason to override this one. return $upload_error_handler($file, __('Specified file failed upload test.')); // A correct MIME type will pass this test. if ( $test_type ) { $type = false; $ext = false; foreach ($mimes as $ext_preg => $mime_match) { $ext_preg = '![^.]\.(' . $ext_preg . ')$!i'; if ( preg_match($ext_preg, $file['name'], $ext_matches) ) { $type = $mime_match; $ext = $ext_matches[1]; } } if ( !$type || !$ext ) return $upload_error_handler($file, __('File type does not meet security guidelines. Try another.')); } // A writable uploads dir will pass this test. Again, there's no point overriding this one. if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) ) return $upload_error_handler($file, $uploads['error']); // Increment the file number until we have a unique file to save in $dir. Use $override['unique_filename_callback'] if supplied. $filename = $unique_filename_callback($uploads['path'], $file['name']); } else { $number = ''; $ext = ''; else $ext = ".$ext"; while ( file_exists($uploads['path'] . "/$filename") ) { if ( '' == "$number$ext" ) $filename = $filename . ++$number . $ext; else $filename = str_replace("$number$ext", ++$number . $ext, $filename); } } // Move the file to the uploads dir $new_file = $uploads['path'] . "/$filename"; die(printf(__ ('The uploaded file could not be moved to %s.'), $file['path'])); // Set correct file permissions $perms = $stat['mode'] & 0000777; @ chmod($new_file, $perms); // Compute the URL $url = $uploads['url'] . "/$filename"; return array('file' => $new_file, 'url' => $url, 'type' => $type); }
Mi upload muere en : die(printf(__('The uploaded file could not be moved to %s.'),$file['path'])); Devolviendo como string un . Es decir : "The uploaded file could not be moved to ." Intento desde /wp-admin/link-import.php Modifico el MAX_FILE_SIZE ,que es un input type="hidden",para poder subir mi shell que tiene mas tamaño. A ver si alguno se le cae alguna idea de como pasar desde ahi , y tendriamos un bypass al uploader de wordpress.
|
|
« Última modificación: 1 Agosto 2014, 19:17 pm por ret2libc »
|
En línea
|
|
|
|
MinusFour
|
Exacto, la 2.0 con la ayuda de Peibol consegui una lista de versiones viejas xD
Ganate unos puntitos explicado como sabes que es la 2.0.
http://ipdelserver/readme.htmlY si necesitas saber exactamente la versión de wordpress, necesitas meterte como admin... pongo aquí como hacerlo pero estoy seguro que a alguien ya se le ocurrio... estoy casi seguro. Para meterte como admin, basta con volver a setear la password del admin en phpmyadmin, esta en la tabla wp_users. Para poner la password, solo basta con remplazar el hash por nuestra contraseña en hash... http://www.miraclesalad.com/webtools/md5.phpCopias el hash y lo pegas y listo, te puedes loguear como admin xD. En el footer tenemos una versión exacta de Wordpress... Por cierto a mi no fue el primero que se me ocurrio lo de cambiar la password, pero que cabron el que lo hizo porque ya me habia puesto a crackear el hash >.> y ahora se que no me va a decir nada LOL. Otra cosa, ya que puse aquí como ganar privilegios de admin en el wordpress, sería bueno que lo dejaramos en una sola password.
|
|
|
En línea
|
|
|
|
#!drvy
|
el WP parece vulnerable por todos lados pero dado que no tiene permisos ni para editarse a si mismo, es un poco inutil intentar subir algo por ahi..
Via el PHPMyAdmin se puede subir mediante dumpfile al directorio /tmp .. si solo pudieramos encontrar un LFI, la shell estaria subida.
Saludos
|
|
|
En línea
|
|
|
|
MinusFour
|
http://WEB/wp-includes/ FPD function wp_handle_upload(&$file, $overrides = false) { // The default error handler. function wp_handle_upload_error(&$file, $message) { return array('error'=>$message); } } // You may define your own function and pass the name in $overrides['upload_error_handler'] $upload_error_handler = 'wp_handle_upload_error'; // $_POST['action'] must be set and its value must equal $overrides['action'] or this: $action = 'wp_handle_upload'; // Courtesy of php.net, the strings that describe the error indicated in $_FILES[{form field}]['error']. $upload_error_strings = array(false, __("The uploaded file exceeds the <code>upload_max_filesize</code> directive in <code>php.ini</code>."), __("The uploaded file exceeds the <em>MAX_FILE_SIZE</em> directive that was specified in the HTML form."), __("The uploaded file was only partially uploaded."), __("No file was uploaded."), __("Missing a temporary folder."), __("Failed to write file to disk.")); // Accepted MIME types are set here as PCRE. Override with $override['mimes']. $mimes = apply_filters ('upload_mimes', array ( 'jpg|jpeg|jpe' => 'image/jpeg', 'gif' => 'image/gif', 'png' => 'image/png', 'bmp' => 'image/bmp', 'tif|tiff' => 'image/tiff', 'ico' => 'image/x-icon', 'asf|asx|wax|wmv|wmx' => 'video/asf', 'avi' => 'video/avi', 'mov|qt' => 'video/quicktime', 'mpeg|mpg|mpe' => 'video/mpeg', 'txt|c|cc|h' => 'text/plain', 'rtx' => 'text/richtext', 'css' => 'text/css', 'htm|html' => 'text/html', 'mp3|mp4' => 'audio/mpeg', 'ra|ram' => 'audio/x-realaudio', 'wav' => 'audio/wav', 'ogg' => 'audio/ogg', 'mid|midi' => 'audio/midi', 'wma' => 'audio/wma', 'rtf' => 'application/rtf', 'js' => 'application/javascript', 'pdf' => 'application/pdf', 'doc' => 'application/msword', 'pot|pps|ppt' => 'application/vnd.ms-powerpoint', 'wri' => 'application/vnd.ms-write', 'xla|xls|xlt|xlw' => 'application/vnd.ms-excel', 'mdb' => 'application/vnd.ms-access', 'mpp' => 'application/vnd.ms-project', 'swf' => 'application/x-shockwave-flash', 'class' => 'application/java', 'tar' => 'application/x-tar', 'zip' => 'application/zip', 'gz|gzip' => 'application/x-gzip', 'exe' => 'application/x-msdownload' )); // All tests are on by default. Most can be turned off by $override[{test_name}] = false; $test_form = true; $test_size = true; // If you override this, you must provide $ext and $type!!!! $test_type = true; // Install user overrides. Did we mention that this voids your warranty? extract($overrides, EXTR_OVERWRITE ); // A correct form post will pass this test. if ( $test_form && (!isset($_POST['action']) || ($_POST['action'] != $action)) ) return $upload_error_handler($file, __('Invalid form submission.')); // A successful upload will pass this test. It makes no sense to override this one. if ( $file['error'] > 0 ) return $upload_error_handler($file, $upload_error_strings[$file['error']]); // A non-empty file will pass this test. if ( $test_size && !($file['size'] > 0) ) return $upload_error_handler($file, __('File is empty. Please upload something more substantial.')); // A properly uploaded file will pass this test. There should be no reason to override this one. return $upload_error_handler($file, __('Specified file failed upload test.')); // A correct MIME type will pass this test. if ( $test_type ) { $type = false; $ext = false; foreach ($mimes as $ext_preg => $mime_match) { $ext_preg = '![^.]\.(' . $ext_preg . ')$!i'; if ( preg_match($ext_preg, $file['name'], $ext_matches) ) { $type = $mime_match; $ext = $ext_matches[1]; } } if ( !$type || !$ext ) return $upload_error_handler($file, __('File type does not meet security guidelines. Try another.')); } // A writable uploads dir will pass this test. Again, there's no point overriding this one. if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) ) return $upload_error_handler($file, $uploads['error']); // Increment the file number until we have a unique file to save in $dir. Use $override['unique_filename_callback'] if supplied. $filename = $unique_filename_callback($uploads['path'], $file['name']); } else { $number = ''; $ext = ''; else $ext = ".$ext"; while ( file_exists($uploads['path'] . "/$filename") ) { if ( '' == "$number$ext" ) $filename = $filename . ++$number . $ext; else $filename = str_replace("$number$ext", ++$number . $ext, $filename); } } // Move the file to the uploads dir $new_file = $uploads['path'] . "/$filename"; die(printf(__ ('The uploaded file could not be moved to %s.'), $file['path'])); // Set correct file permissions $perms = $stat['mode'] & 0000777; @ chmod($new_file, $perms); // Compute the URL $url = $uploads['url'] . "/$filename"; return array('file' => $new_file, 'url' => $url, 'type' => $type); }
Mi upload muere en : die(printf(__('The uploaded file could not be moved to %s.'),$file['path'])); Devolviendo como string un . Es decir : "The uploaded file could not be moved to ." Intento desde /wp-admin/link-import.php Modifico el MAX_FILE_SIZE ,que es un input type="hidden",para poder subir mi shell que tiene mas tamaño. A ver si alguno se le cae alguna idea de como pasar desde ahi , y tendriamos un bypass al uploader de wordpress. ¿No creo que haya permisos en la carpeta de upload o si? Si es así creo que puedo poner una shell. Según tengo entendido todo el directorio de www esta sin permisos de escritura, solo de lectura y ejecución.
|
|
|
En línea
|
|
|
|
|
Mensajes similares |
|
Asunto |
Iniciado por |
Respuestas |
Vistas |
Último mensaje |
|
|
Counter Strike 1.5 Hack Server
Juegos y Consolas
|
*StoW*
|
0
|
3,689
|
19 Octubre 2006, 22:22 pm
por *StoW*
|
|
|
Internal Server Error(hack web cross)
WarZone
|
Angbroda
|
5
|
6,426
|
3 Marzo 2009, 17:39 pm
por © Shadoweps ツ
|
|
|
Torneo Hack my Server
« 1 2 ... 6 7 »
Foro Libre
|
dimitrix
|
62
|
23,193
|
1 Agosto 2014, 03:04 am
por dimitrix
|
|
|
Hack My Server III
« 1 2 »
Foro Libre
|
dimitrix
|
16
|
6,668
|
30 Marzo 2015, 18:47 pm
por elmatador2
|
|
|
Hack my server 2018
« 1 2 »
Hacking
|
dimitrix
|
16
|
19,818
|
28 Mayo 2018, 22:06 pm
por hitori batusai
|
|