User Controls
Lololol arbitrary command injection, which command should i execute?
-
2015-10-14 at 11:41 PM UTCSo i was fucking around with some tools of mine and discovered several vulnerabilities on this one site. Including arbitrary command injection. I spawned a shell so now i have pseudo terminal going on. You may decide the fate of this server and tell me which command i should execute. I also found out the configuration of the server. Here's a pastebin with all the information.
http://pastebin.com/cKM4fi3F
This entire fucking website might as well be renamed to Pretty Damn Vulnerable Web App 2. because besides SQLi and OS command injection vulnerabilities they're also vulnerable to XSS. See the below link if it pleases you.
http://www.northpeak.com.tw/viewnews...9%3C/scRipt%3E
Here's a screenshot i took when command injection was succesful, it's pretty nifty because you can also see the command that was injected and that it was able to spawn a shell.
-
2015-10-15 at 1:59 AM UTCI would cat the virtual hosts in the /etc/apache or /etc/nginx for the documentroot and mess around with the actual website
something subtle, like embedded meatspin on the login failed page or something
you could always go the classic rm -rf / though -
2015-10-15 at 2:13 AM UTC
I would cat the virtual hosts in the /etc/apache or /etc/nginx for the documentroot and mess around with the actual website
something subtle, like embedded meatspin on the login failed page or something
That's pretty hilarious. Maybe i should try that.you could always go the classic rm -rf / though
If all else fails i will, also, for times like these i wish i had some juicy Linux malware to upload for maintaining access. That should be possible right? Maybe i could generate a meterpreter with metasploit. Thoughts? -
2015-10-15 at 2:24 AM UTCset yourself up with an ssh account?
if you want to be sneaky, cat /etc/passwd, look for a system account with the shell set to /bin/false, set it to /bin/sh and reset the password... that way it won't be immediately obvious that a new user's been added, and the only way they'll notice is by actively monitoring the ssh logs and seeing activity on accounts that aren't supposed to have access
alternatively you can bind netcat to a terminal and have it listen on a nonstandard port, but that runs the risk of getting fucked by NAT as well as someone noticing the port being open, or even some other chud finding it -
2015-10-15 at 2:37 AM UTC
set yourself up with an ssh account?
if you want to be sneaky, cat /etc/passwd, look for a system account with the shell set to /bin/false, set it to /bin/sh and reset the password… that way it won't be immediately obvious that a new user's been added, and the only way they'll notice is by actively monitoring the ssh logs and seeing activity on accounts that aren't supposed to have access
Excellent suggestion, i'm going to look into this before i do anything else.alternatively you can bind netcat to a terminal and have it listen on a nonstandard port, but that runs the risk of getting fucked by NAT as well as someone noticing the port being open, or even some other chud finding it
I'll keep this in mind as well, first i'm going to check if i can add an ssh account. Thanks bruh. -
2015-10-15 at 6:13 PM UTCUpdate: I had some trouble retreiving the command output. Maybe because the injection was time based? Anyway i tried to upload a file for file based half blind injection but i had no write permissions to /www/var. Hmm.
-
2015-10-15 at 8:35 PM UTC
I would cat the virtual hosts in the /etc/apache or /etc/nginx for the documentroot and mess around with the actual website
something subtle, like embedded meatspin on the login failed page or something
you could always go the classic rm -rf / though
Set it up to log usernames and passwords. Maybe create a page that looks like a required account update page, that asks for more info.
