Hack my server II

Iniciado por dimitrix, 28 Junio 2014, 20:09 PM

0 Miembros y 1 Visitante están viendo este tema.

dimitrix

Cita de: Stakewinner00 en  1 Agosto 2014, 18:03 PM
Yo ya me quede como la mayoría, no hay dir con permisos para subir shell por SQLi el SSH no tiene nada por defecto y por el puerto 10000 no mire mucho pero a saber si tiene algo...

Esta noche activo los permisos (como tendria un WP real) en las carpetas...

10000... webmin os espera...




!drvy puedes confirmar?




xustyx un deface es algo facil... se busca el root...




MinusFour

Por cierto para el que haya encontrado alguna vulnerabilidad de wordpress, si viene con permisos por default el proceso de apache no va a permitir escribir a la carpeta de www así que si intentan subir una shell por ahí ni lo intenten. Lo que podrían hacer si encontraron una vulnerabilidad es usar shell_exec...

Para el que no se haya dado cuenta O.o esto es wordpress 2.0... estoy seguro que debe haber muchas vulnerabilidades....

WordPress
Version 2.0

#!drvy

Cita de: alkage en  1 Agosto 2014, 18:27 PM
Que Lammer urruina juego! No siguió las reglas.

pffffffffff...

Fui yo por hacer la gracia xD No he rooteado ni nada, fue inyeccion de HTML en uno de los post..

Saludos

Baal_30

¿Como podría averiguar la versión del webmin? :P
«La suerte es el cuidado de los detalles». -Winston Churchill

#!drvy

Código (bash,13) [Seleccionar]
→ nmap -sV  ###########

Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-01 16:07 CEST
Nmap scan report for #########  (#########)
Host is up (0.18s latency).
rDNS record for ######: #######
Not shown: 995 closed ports
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          (protocol 2.0)
53/tcp    open     domain
80/tcp    open     http         Apache httpd 2.4.6 ((Ubuntu))
445/tcp   filtered microsoft-ds
10000/tcp open     http         MiniServ 1.690 (Webmin httpd)


Saludos

dimitrix

Cita de: MinusFour en  1 Agosto 2014, 18:42 PM
WordPress
Version 2.0

Exacto, la 2.0 con la ayuda de Peibol consegui una lista de versiones viejas xD

Ganate unos puntitos explicado como sabes que es la 2.0.




dRak0

#76
http://WEB/wp-includes/ FPD


Código (php) [Seleccionar]

function wp_handle_upload(&$file, $overrides = false) {
// The default error handler.
if (! function_exists('wp_handle_upload_error') ) {
function wp_handle_upload_error(&$file, $message) {
return array('error'=>$message);
}
}

// You may define your own function and pass the name in $overrides['upload_error_handler']
$upload_error_handler = 'wp_handle_upload_error';

// $_POST['action'] must be set and its value must equal $overrides['action'] or this:
$action = 'wp_handle_upload';

// Courtesy of php.net, the strings that describe the error indicated in $_FILES[{form field}]['error'].
$upload_error_strings = array(false,
__("The uploaded file exceeds the <code>upload_max_filesize</code> directive in <code>php.ini</code>."),
__("The uploaded file exceeds the <em>MAX_FILE_SIZE</em> directive that was specified in the HTML form."),
__("The uploaded file was only partially uploaded."),
__("No file was uploaded."),
__("Missing a temporary folder."),
__("Failed to write file to disk."));

// Accepted MIME types are set here as PCRE. Override with $override['mimes'].
$mimes = apply_filters('upload_mimes', array (
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon',
'asf|asx|wax|wmv|wmx' => 'video/asf',
'avi' => 'video/avi',
'mov|qt' => 'video/quicktime',
'mpeg|mpg|mpe' => 'video/mpeg',
'txt|c|cc|h' => 'text/plain',
'rtx' => 'text/richtext',
'css' => 'text/css',
'htm|html' => 'text/html',
'mp3|mp4' => 'audio/mpeg',
'ra|ram' => 'audio/x-realaudio',
'wav' => 'audio/wav',
'ogg' => 'audio/ogg',
'mid|midi' => 'audio/midi',
'wma' => 'audio/wma',
'rtf' => 'application/rtf',
'js' => 'application/javascript',
'pdf' => 'application/pdf',
'doc' => 'application/msword',
'pot|pps|ppt' => 'application/vnd.ms-powerpoint',
'wri' => 'application/vnd.ms-write',
'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
'mdb' => 'application/vnd.ms-access',
'mpp' => 'application/vnd.ms-project',
'swf' => 'application/x-shockwave-flash',
'class' => 'application/java',
'tar' => 'application/x-tar',
'zip' => 'application/zip',
'gz|gzip' => 'application/x-gzip',
'exe' => 'application/x-msdownload'
));

// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;

// Install user overrides. Did we mention that this voids your warranty?
if ( is_array($overrides) )
extract($overrides, EXTR_OVERWRITE);

// A correct form post will pass this test.
if ( $test_form && (!isset($_POST['action']) || ($_POST['action'] != $action)) )
return $upload_error_handler($file, __('Invalid form submission.'));

// A successful upload will pass this test. It makes no sense to override this one.
if ( $file['error'] > 0 )
return $upload_error_handler($file, $upload_error_strings[$file['error']]);

// A non-empty file will pass this test.
if ( $test_size && !($file['size'] > 0) )
return $upload_error_handler($file, __('File is empty. Please upload something more substantial.'));

// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file($file['tmp_name']) )
return $upload_error_handler($file, __('Specified file failed upload test.'));

// A correct MIME type will pass this test.
if ( $test_type ) {
$type = false;
$ext = false;
foreach ($mimes as $ext_preg => $mime_match) {
$ext_preg = '![^.]\.(' . $ext_preg . ')$!i';
if ( preg_match($ext_preg, $file['name'], $ext_matches) ) {
$type = $mime_match;
$ext = $ext_matches[1];
}
}

if ( !$type || !$ext )
return $upload_error_handler($file, __('File type does not meet security guidelines. Try another.'));
}

// A writable uploads dir will pass this test. Again, there's no point overriding this one.
if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
return $upload_error_handler($file, $uploads['error']);

// Increment the file number until we have a unique file to save in $dir. Use $override['unique_filename_callback'] if supplied.
if ( isset($unique_filename_callback) && function_exists($unique_filename_callback) ) {
$filename = $unique_filename_callback($uploads['path'], $file['name']);
} else {
$number = '';
$filename = str_replace('#', '_', $file['name']);
$filename = str_replace(array('\\', "'"), '', $filename);
if ( empty($ext) )
$ext = '';
else
$ext = ".$ext";
while ( file_exists($uploads['path'] . "/$filename") ) {
if ( '' == "$number$ext" )
$filename = $filename . ++$number . $ext;
else
$filename = str_replace("$number$ext", ++$number . $ext, $filename);
}
}

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file($file['tmp_name'], $new_file) )
die(printf(__('The uploaded file could not be moved to %s.'), $file['path']));

// Set correct file permissions
$stat = stat(dirname($new_file));
$perms = $stat['mode'] & 0000777;
@ chmod($new_file, $perms);

// Compute the URL
$url = $uploads['url'] . "/$filename";

return array('file' => $new_file, 'url' => $url, 'type' => $type);
}





Mi upload muere en : die(printf(__('The uploaded file could not be moved to %s.'),$file['path']));

Devolviendo como string un .
Es decir : "The uploaded file could not be moved to  ."

Intento desde /wp-admin/link-import.php

Modifico el MAX_FILE_SIZE ,que es un input type="hidden",para poder subir mi shell que tiene mas tamaño.

A ver si alguno se le cae alguna idea de como pasar desde ahi , y tendriamos un bypass al uploader de wordpress.

MinusFour

Cita de: dimitrix en  1 Agosto 2014, 19:05 PM
Exacto, la 2.0 con la ayuda de Peibol consegui una lista de versiones viejas xD

Ganate unos puntitos explicado como sabes que es la 2.0.

http://ipdelserver/readme.html

Y si necesitas saber exactamente la versión de wordpress, necesitas meterte como admin... pongo aquí como hacerlo pero estoy seguro que a alguien ya se le ocurrio... estoy casi seguro.

Para meterte como admin, basta con volver a setear la password del admin en phpmyadmin, esta en la tabla wp_users. Para poner la password, solo basta con remplazar el hash por nuestra contraseña en hash...

http://www.miraclesalad.com/webtools/md5.php

Copias el hash y lo pegas y listo, te puedes loguear como admin xD.

En el footer tenemos una versión exacta de Wordpress...



Por cierto a mi no fue el primero que se me ocurrio lo de cambiar la password, pero que cabron el que lo hizo porque ya me habia puesto a crackear el hash >.> y ahora se que no me va a decir nada LOL.

Otra cosa, ya que puse aquí como ganar privilegios de admin en el wordpress, sería bueno que lo dejaramos en una sola password.

#!drvy

el WP parece vulnerable por todos lados pero dado que no tiene permisos ni para editarse a si mismo, es un poco inutil intentar subir algo por ahi..

Via el PHPMyAdmin se puede subir mediante dumpfile al directorio /tmp .. si solo pudieramos encontrar un LFI, la shell estaria subida.

Saludos

MinusFour

Cita de: ret2libc en  1 Agosto 2014, 19:09 PM
http://WEB/wp-includes/ FPD


Código (php) [Seleccionar]

function wp_handle_upload(&$file, $overrides = false) {
// The default error handler.
if (! function_exists('wp_handle_upload_error') ) {
function wp_handle_upload_error(&$file, $message) {
return array('error'=>$message);
}
}

// You may define your own function and pass the name in $overrides['upload_error_handler']
$upload_error_handler = 'wp_handle_upload_error';

// $_POST['action'] must be set and its value must equal $overrides['action'] or this:
$action = 'wp_handle_upload';

// Courtesy of php.net, the strings that describe the error indicated in $_FILES[{form field}]['error'].
$upload_error_strings = array(false,
__("The uploaded file exceeds the <code>upload_max_filesize</code> directive in <code>php.ini</code>."),
__("The uploaded file exceeds the <em>MAX_FILE_SIZE</em> directive that was specified in the HTML form."),
__("The uploaded file was only partially uploaded."),
__("No file was uploaded."),
__("Missing a temporary folder."),
__("Failed to write file to disk."));

// Accepted MIME types are set here as PCRE. Override with $override['mimes'].
$mimes = apply_filters('upload_mimes', array (
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon',
'asf|asx|wax|wmv|wmx' => 'video/asf',
'avi' => 'video/avi',
'mov|qt' => 'video/quicktime',
'mpeg|mpg|mpe' => 'video/mpeg',
'txt|c|cc|h' => 'text/plain',
'rtx' => 'text/richtext',
'css' => 'text/css',
'htm|html' => 'text/html',
'mp3|mp4' => 'audio/mpeg',
'ra|ram' => 'audio/x-realaudio',
'wav' => 'audio/wav',
'ogg' => 'audio/ogg',
'mid|midi' => 'audio/midi',
'wma' => 'audio/wma',
'rtf' => 'application/rtf',
'js' => 'application/javascript',
'pdf' => 'application/pdf',
'doc' => 'application/msword',
'pot|pps|ppt' => 'application/vnd.ms-powerpoint',
'wri' => 'application/vnd.ms-write',
'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
'mdb' => 'application/vnd.ms-access',
'mpp' => 'application/vnd.ms-project',
'swf' => 'application/x-shockwave-flash',
'class' => 'application/java',
'tar' => 'application/x-tar',
'zip' => 'application/zip',
'gz|gzip' => 'application/x-gzip',
'exe' => 'application/x-msdownload'
));

// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;

// Install user overrides. Did we mention that this voids your warranty?
if ( is_array($overrides) )
extract($overrides, EXTR_OVERWRITE);

// A correct form post will pass this test.
if ( $test_form && (!isset($_POST['action']) || ($_POST['action'] != $action)) )
return $upload_error_handler($file, __('Invalid form submission.'));

// A successful upload will pass this test. It makes no sense to override this one.
if ( $file['error'] > 0 )
return $upload_error_handler($file, $upload_error_strings[$file['error']]);

// A non-empty file will pass this test.
if ( $test_size && !($file['size'] > 0) )
return $upload_error_handler($file, __('File is empty. Please upload something more substantial.'));

// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file($file['tmp_name']) )
return $upload_error_handler($file, __('Specified file failed upload test.'));

// A correct MIME type will pass this test.
if ( $test_type ) {
$type = false;
$ext = false;
foreach ($mimes as $ext_preg => $mime_match) {
$ext_preg = '![^.]\.(' . $ext_preg . ')$!i';
if ( preg_match($ext_preg, $file['name'], $ext_matches) ) {
$type = $mime_match;
$ext = $ext_matches[1];
}
}

if ( !$type || !$ext )
return $upload_error_handler($file, __('File type does not meet security guidelines. Try another.'));
}

// A writable uploads dir will pass this test. Again, there's no point overriding this one.
if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
return $upload_error_handler($file, $uploads['error']);

// Increment the file number until we have a unique file to save in $dir. Use $override['unique_filename_callback'] if supplied.
if ( isset($unique_filename_callback) && function_exists($unique_filename_callback) ) {
$filename = $unique_filename_callback($uploads['path'], $file['name']);
} else {
$number = '';
$filename = str_replace('#', '_', $file['name']);
$filename = str_replace(array('\\', "'"), '', $filename);
if ( empty($ext) )
$ext = '';
else
$ext = ".$ext";
while ( file_exists($uploads['path'] . "/$filename") ) {
if ( '' == "$number$ext" )
$filename = $filename . ++$number . $ext;
else
$filename = str_replace("$number$ext", ++$number . $ext, $filename);
}
}

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file($file['tmp_name'], $new_file) )
die(printf(__('The uploaded file could not be moved to %s.'), $file['path']));

// Set correct file permissions
$stat = stat(dirname($new_file));
$perms = $stat['mode'] & 0000777;
@ chmod($new_file, $perms);

// Compute the URL
$url = $uploads['url'] . "/$filename";

return array('file' => $new_file, 'url' => $url, 'type' => $type);
}





Mi upload muere en : die(printf(__('The uploaded file could not be moved to %s.'),$file['path']));

Devolviendo como string un .
Es decir : "The uploaded file could not be moved to  ."

Intento desde /wp-admin/link-import.php

Modifico el MAX_FILE_SIZE ,que es un input type="hidden",para poder subir mi shell que tiene mas tamaño.

A ver si alguno se le cae alguna idea de como pasar desde ahi , y tendriamos un bypass al uploader de wordpress.


¿No creo que haya permisos en la carpeta de upload o si? Si es así creo que puedo poner una shell. Según tengo entendido todo el directorio de www esta sin permisos de escritura, solo de lectura y ejecución.