Re: PHP Exploitation

From: Danux (danuxx@gmail.com)
Date: Tue Nov 27 2007 - 13:35:26 EST

• Next message: eladexposed@gmail.com: "Re: VOIP Pen TEST"
• Previous message: Bhalla, Nishchal: "ExploitMe Series"
• In reply to: Robin Wood: "Re: PHP Exploitation"
• Next in thread: Danux: "Re: PHP Exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all, as i told you, i am not able to run system, exec, passthru,
etc, i mean, all related to cmd.exe execution because of IIS
IUSR_MACHINE User privileges.

I have finished the assessment and i would like to share what i did at
the final:

As i told you, i was able to upload files directly to the windows
filesystem due to another vulnerability, but i cant execute any
command related to cmd.exe: dir, ipconfig, type, net, etc, etc, but i
do can execute php files, then i upload a list.php script in order to
walkthrough the filesystem, then, i was able to download all the app
php site and after looking inside the source code, i found some MSSQL
users and passwords with low privileges, and in other filesystem
directories i found log files, conf files, backups, etc, i mean very
interesting information to deal with.

Maybe, i could start trying to elevate privileges on MSSQL in order
to execute xp_cmdshell or something like that, but i think i have what
really matters to attackers...and what should matter to Companies...
"INFORMATION".

Thanks all for your help.

On Nov 27, 2007 7:07 AM, Robin Wood <dninja@gmail.com> wrote:
> On 23/11/2007, Danux <danuxx@gmail.com> wrote:
> > Hi experts, i need your ideas,
> >
> > By now, i am able to upload php files to a Windows 2003 Server, so i
> > can execute php code like phpinfo, but i cant execute passthru command
> > because of lack of IUSR_MACHINE privileges.
> > I have run some local php bof's without success.
>
> Have you tried other ways to execute commands such as system or exec?
> If you can get one of those working you can redirect output to a file
> in the document root then view it by browsing to it.
>
> Robin
>

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: eladexposed@gmail.com: "Re: VOIP Pen TEST"
• Previous message: Bhalla, Nishchal: "ExploitMe Series"
• In reply to: Robin Wood: "Re: PHP Exploitation"
• Next in thread: Danux: "Re: PHP Exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT