Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do you completely compromise a machine given a text box or badly validated input box? This is a place to talk about code issues (PHP includes, null byte injection, backticks, pipe, etc...) as well as how to properly construct an SQL injection attack. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 17, 2009 02:12PM

Alright, here's the deal; I managed to find a hole that will let me upload files to the server, they will be renamed but keep their extension.

I can not upload: .php,.php3,.php4,.cgi,.pl,.exe,.bat,.reg

I tried .phtml but it came out as plaintext. .htaccess wouldn't work because it would be renamed to something.htaccess

Any ideas?

I can execute any SQL query, but the user is not root and does not have file privs.



Edited 1 time(s). Last edit at 12/17/2009 02:22PM by Kyo.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: oniric
Date: December 17, 2009 04:22PM

LFI somewhere?

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 18, 2009 01:43AM

nope. I got admin access on a ubb.threads forum and i can set what attachments are allowed, i can find their locations, but the aforementioned filetypes are blocked.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: oniric
Date: December 18, 2009 04:07AM

Is there some section in the admin panel where you can upload something, like in the emoticons section? I did it this way once with IPB ^^

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 18, 2009 09:00AM

yes actually, but unfortunately the permissions aren't set up right on the server.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: oniric
Date: December 18, 2009 09:17AM

Meaning what? Are they wrong for you or for the server admin? XD

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: id
Date: December 18, 2009 11:10AM

I'm assuming this is a *NIX box...

do you know what permissions and what user the files have after you upload them?

btw, from a system perspective on *nix the actual file extension doesn't matter, so if you can upload a file to a sensitive place or the root/privileged user has ./ in their path you can do a lot of bad things.

-id

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 18, 2009 11:11AM

Well, you can't modify templates, upload smileys or custom avatars which you would usually be able to as admin :P

edit: id;

yes, it's linux. I actually can get phpinfo via admin cp, it's php 5.2.8

The files can be uploaded on any directory i want on the server (assuming php has permission to write to the directory) but will have this format: id.extension

I also have the mysql password because the admin panel stupidly displayed it.

edit2: alright, I found a way



Edited 2 time(s). Last edit at 12/18/2009 11:31AM by Kyo.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: oniric
Date: December 18, 2009 04:24PM

Tell us pls, just for the record :)

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: thrill
Date: December 18, 2009 07:21PM

Quote

The files can be uploaded on any directory i want on the server

This is where learning a little about your attack surface comes in handy.

As id pointed out, unix/linux type systems really don't care about the extension. A file called bah.sh is the same thing as a file called bah.

Even perl doesn't care as long as the header is:

#/bin/perl

and then you could try to call that file without any extension. The better chance you have is to see if the httpd.conf file uses either the Include or extra directory arbitrarily to call conf files, at which point you could create your .conf file to allow different types of extensions to be executed via php/perl/etc..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 19, 2009 01:33AM

Yeah, I realize this, but most of the time, php can't write to these directories. My attack had this problem as well. However, I found out that you could modify boxes for some kind of portal with php code and got in. Most of the directories are write protected, but it still allowed me to have a good look around. I never intended on doing damage anyway.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Reiners
Date: December 21, 2009 04:37AM

you could have tried to upload your phpshell named shell.php.xyz if they run apache.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 21, 2009 07:57AM

mhm? Why would that work? (I do have a version of my shell up now :P)

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Reiners
Date: December 21, 2009 08:00PM

apache checks the file extension for known extensions backwards. if it finds a known extension, it will interprete the file as a file with that extension. so first .xyz will be unknown and apache checks for other extensions. it finds .php, knows it and interpretes PHP code. this behavior was disclosed on a mailinglist some time ago, cant remember where.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: ChElAnO
Date: December 22, 2009 10:27AM

http://isc.sans.org/diary.html?storyid=6139

i thought this might be interesting,

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: thrill
Date: December 22, 2009 11:57AM

Quote

This is not an Apache bug, or a misconfiguration per se. It is more an error of the operator not to read the manual.

WRONG!

From http://httpd.apache.org/docs/1.3/mod/mod_mime.html#addtype

Quote

The AddType directive maps the given filename extensions

If it's not an apache bug and the .php is not meant to be treated as an extension, why do THEY call it an extension..

Also...

Quote

do not use the user provided filename, come up with your own random / artificial filename.

Yes, because when Mr. Ereeto Haxor sees hxxp://mysecuredomain.com/index.heehee he will NEVER guess that .heehee is what he should rename his PHP script.. and of course, that will also stop badscript.heehee.1 from running.. yes.. that's a solution..

It would be really nice if people who are clueless about security stopped trying to comment on it and feeding others with a false sense of it.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: Kyo
Date: December 22, 2009 03:29PM

Huh, that's really interesting. I haven't heard about that before at all. I think I'm gonna play with that a little.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: rvdh
Date: December 26, 2009 03:30PM

It might be mapped in a htaccess of httpd.conf, but considering it's an upload, it's probably rewritten in the receiving source. But if you can upload something, there are plenty of ways. You can check if the extension is mapped, if the got index.html, try to access index.php | index.asp, it usually maps to that place. But if you can upload something, it probably is vulnerable to a point. Uploads are extremely hard to deal with from a security view-point, and almost impossible to secure in a proper manner. Even the source can be obfuscated and still be executed in certain circumstances.

Options: ReplyQuote
Re: how to get root access with restricted upload privileges
Posted by: rvdh
Date: December 26, 2009 07:24PM

Here's a good example on IIS, semicolon injection on file uploads:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

Options: ReplyQuote


Sorry, only registered users may post in this forum.