Mensajes

Tremendo debugger windbg. Cuando estas aprendiendo internals de windows , te salva la vida y lo hace un poco mas llevadero.

-rwsr-xr-x 1 root root 44176 May 16  2013 /bin/ping
-rwsr-xr-x 1 root root 94792 Jun 12  2013 /bin/mount
-rwsr-xr-x 1 root root 44688 May 16  2013 /bin/ping6
-rwsr-xr-x 1 root root 36936 Jul 26  2013 /bin/su
-rwsr-xr-x 1 root root 69120 Jun 12  2013 /bin/umount
-rwxr-sr-x 1 root shadow 35536 May 18  2013 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 121112 Mar 11 08:24 /usr/bin/sudo
-rwsr-xr-x 1 root root 32464 Jul 26  2013 /usr/bin/newgrp
-rwxr-sr-x 1 root ssh 129120 Apr 29 19:54 /usr/bin/ssh-agent
-rwsr-sr-x 1 root mail 89216 Jun  8  2012 /usr/bin/procmail
-rwsr-xr-x 1 root root 23104 May 16  2013 /usr/bin/traceroute6.iputils
-rwxr-sr-x 1 root shadow 23360 Jul 26  2013 /usr/bin/expiry
-rwsr-xr-x 1 root root 68152 Jul 26  2013 /usr/bin/gpasswd
-rwxr-sr-x 1 root tty 19024 Jun 12  2013 /usr/bin/wall
-rwxr-sr-x 1 root shadow 54968 Jul 26  2013 /usr/bin/chage
-rwsr-xr-x 1 root root 41336 Jul 26  2013 /usr/bin/chsh
-rwxr-sr-x 1 root mail 18672 Jun  8  2012 /usr/bin/lockfile
-rwxr-sr-x 1 root crontab 35984 Feb  9  2013 /usr/bin/crontab
-rwsr-xr-x 1 root root 47032 Jul 26  2013 /usr/bin/passwd
-rwsr-xr-x 1 root root 18928 May 16  2013 /usr/bin/arping
-rwxr-sr-x 1 root tty 14688 Jun  4  2013 /usr/bin/bsd-write
-rwsr-xr-x 1 root root 46424 Jul 26  2013 /usr/bin/chfn
-rwxr-sr-x 1 root utmp 380088 Aug 19  2013 /usr/bin/screen
-rwxr-sr-x 1 root mlocate 39520 Jun 20  2013 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 14848 Jun  5  2013 /usr/bin/dotlockfile
-rwsr-xr-x 1 root root 10208 Sep 10  2013 /usr/sbin/sensible-mda
-rwsr-sr-x 1 libuuid libuuid 18904 Jun 12  2013 /usr/sbin/uuidd
-rwxr-sr-x 1 root smmsp 82816 Sep 10  2013 /usr/lib/sm.bin/mailstats
-rwxr-sr-x 1 root smmsp 851840 Sep 10  2013 /usr/lib/sm.bin/sendmail
-rwsr-xr-x 1 root root 249704 Apr 29 19:54 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10368 Oct 12  2013 /usr/lib/pt_chown

A escalar privilegios bitchess...!

Borra los permisos y la shell. Se va la gracia sino. Igual , aprendi algo nuevo , lo cual era el objetivo de esto.

dimitrix , saca los permisos ... Danos un poco mas de tiempo. Ando en algo. Dejalo sin permisos.

Aunque me encanta OllyDbg porque empeze con el , te recomiendo que uses IDA desde el principio asi dsp no te molesta hacer el cambio.

https://www.hex-rays.com/products/ida/index.shtml

Sale chuck norris del monitor.

Perdon , es 2.0.1 RC 1 . Me baje el source de la pagina oficial de wordpress y el readme dice 2.0 . Lee 3 paginas atras que estuvimos discutiendo sobre entrar por wordpress.

http://WEB/wp-includes/ FPD

Código (php) [Seleccionar] Expandir


function wp_handle_upload(&$file, $overrides = false) {
// The default error handler.
if (! function_exists('wp_handle_upload_error') ) {
function wp_handle_upload_error(&$file, $message) {
return array('error'=>$message);
}
}

// You may define your own function and pass the name in $overrides['upload_error_handler']
$upload_error_handler = 'wp_handle_upload_error';

// $_POST['action'] must be set and its value must equal $overrides['action'] or this:
$action = 'wp_handle_upload';

// Courtesy of php.net, the strings that describe the error indicated in $_FILES[{form field}]['error'].
$upload_error_strings = array(false,
__("The uploaded file exceeds the <code>upload_max_filesize</code> directive in <code>php.ini</code>."),
__("The uploaded file exceeds the <em>MAX_FILE_SIZE</em> directive that was specified in the HTML form."),
__("The uploaded file was only partially uploaded."),
__("No file was uploaded."),
__("Missing a temporary folder."),
__("Failed to write file to disk."));

// Accepted MIME types are set here as PCRE. Override with $override['mimes'].
$mimes = apply_filters('upload_mimes', array (
'jpg|jpeg|jpe' => 'image/jpeg',
'gif' => 'image/gif',
'png' => 'image/png',
'bmp' => 'image/bmp',
'tif|tiff' => 'image/tiff',
'ico' => 'image/x-icon',
'asf|asx|wax|wmv|wmx' => 'video/asf',
'avi' => 'video/avi',
'mov|qt' => 'video/quicktime',
'mpeg|mpg|mpe' => 'video/mpeg',
'txt|c|cc|h' => 'text/plain',
'rtx' => 'text/richtext',
'css' => 'text/css',
'htm|html' => 'text/html',
'mp3|mp4' => 'audio/mpeg',
'ra|ram' => 'audio/x-realaudio',
'wav' => 'audio/wav',
'ogg' => 'audio/ogg',
'mid|midi' => 'audio/midi',
'wma' => 'audio/wma',
'rtf' => 'application/rtf',
'js' => 'application/javascript',
'pdf' => 'application/pdf',
'doc' => 'application/msword',
'pot|pps|ppt' => 'application/vnd.ms-powerpoint',
'wri' => 'application/vnd.ms-write',
'xla|xls|xlt|xlw' => 'application/vnd.ms-excel',
'mdb' => 'application/vnd.ms-access',
'mpp' => 'application/vnd.ms-project',
'swf' => 'application/x-shockwave-flash',
'class' => 'application/java',
'tar' => 'application/x-tar',
'zip' => 'application/zip',
'gz|gzip' => 'application/x-gzip',
'exe' => 'application/x-msdownload'
));

// All tests are on by default. Most can be turned off by $override[{test_name}] = false;
$test_form = true;
$test_size = true;

// If you override this, you must provide $ext and $type!!!!
$test_type = true;

// Install user overrides. Did we mention that this voids your warranty?
if ( is_array($overrides) )
extract($overrides, EXTR_OVERWRITE);

// A correct form post will pass this test.
if ( $test_form && (!isset($_POST['action']) || ($_POST['action'] != $action)) )
return $upload_error_handler($file, __('Invalid form submission.'));

// A successful upload will pass this test. It makes no sense to override this one.
if ( $file['error'] > 0 )
return $upload_error_handler($file, $upload_error_strings[$file['error']]);

// A non-empty file will pass this test.
if ( $test_size && !($file['size'] > 0) )
return $upload_error_handler($file, __('File is empty. Please upload something more substantial.'));

// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file($file['tmp_name']) )
return $upload_error_handler($file, __('Specified file failed upload test.'));

// A correct MIME type will pass this test.
if ( $test_type ) {
$type = false;
$ext = false;
foreach ($mimes as $ext_preg => $mime_match) {
$ext_preg = '![^.]\.(' . $ext_preg . ')$!i';
if ( preg_match($ext_preg, $file['name'], $ext_matches) ) {
$type = $mime_match;
$ext = $ext_matches[1];
}
}

if ( !$type || !$ext )
return $upload_error_handler($file, __('File type does not meet security guidelines. Try another.'));
}

// A writable uploads dir will pass this test. Again, there's no point overriding this one.
if ( ! ( ( $uploads = wp_upload_dir() ) && false === $uploads['error'] ) )
return $upload_error_handler($file, $uploads['error']);

// Increment the file number until we have a unique file to save in $dir. Use $override['unique_filename_callback'] if supplied.
if ( isset($unique_filename_callback) && function_exists($unique_filename_callback) ) {
$filename = $unique_filename_callback($uploads['path'], $file['name']);
} else {
$number = '';
$filename = str_replace('#', '_', $file['name']);
$filename = str_replace(array('\\', "'"), '', $filename);
if ( empty($ext) )
$ext = '';
else
$ext = ".$ext";
while ( file_exists($uploads['path'] . "/$filename") ) {
if ( '' == "$number$ext" )
$filename = $filename . ++$number . $ext;
else
$filename = str_replace("$number$ext", ++$number . $ext, $filename);
}
}

// Move the file to the uploads dir
$new_file = $uploads['path'] . "/$filename";
if ( false === @ move_uploaded_file($file['tmp_name'], $new_file) )
die(printf(__('The uploaded file could not be moved to %s.'), $file['path']));

// Set correct file permissions
$stat = stat(dirname($new_file));
$perms = $stat['mode'] & 0000777;
@ chmod($new_file, $perms);

// Compute the URL
$url = $uploads['url'] . "/$filename";

return array('file' => $new_file, 'url' => $url, 'type' => $type);
}





Mi upload muere en : die(printf(__('The uploaded file could not be moved to %s.'),$file['path']));

Devolviendo como string un .
Es decir : "The uploaded file could not be moved to  ."

Intento desde /wp-admin/link-import.php

Modifico el MAX_FILE_SIZE ,que es un input type="hidden",para poder subir mi shell que tiene mas tamaño.

A ver si alguno se le cae alguna idea de como pasar desde ahi , y tendriamos un bypass al uploader de wordpress.

No valen plugins ¬¬.

[Mod: Se supone que no se da ni la direccion ni la IP ·_·]

Prueben por el puerto 10000.


Mod: Se supone que no se da ni la direccion ni la IP ·_·

Mala mia.