Find admin + shell on *******. Alfabank.ru using Google
I was discouraged by the response of the alphabank technical support given in the post “We find SQL injection ...” , and therefore I decided to see how things are going on in other subdomains.
The first thing I did was find the admin panel on b ***. Alfabank.ru using the same Google and plain “site: alfabank.ru inurl: / admin /”
And what did I see there?
')
A modest menu promised me PHPinfo () , site settings, and a lot more:
Already, my hands were editable site settings:
Rummaging around a bit with what I found, I noticed a mention about another subdomain (I don’t give you the names of the subdomains here for the reason you’ll read at the end of the post).
Again, by simple googling by the name of this subdomain, we get an issue in which we immediately find the user’s page by the last name m ***** kaya.
There (oh, a miracle!), A caring developer brought us the var_dump object, thanks to which we see the password hash: 1d0258c2440a8d19e716292b231e3190 .
Well, let's look for it in rainbow tables? And we find: password manager . Not too sophisticated, in my opinion, but at least not "love / secret / sex / god". Successfully log in: nm ***** kaya@alfabank.ru: manager .
Now we have the rights of a registered participant, a bank employee, and the admin site, which is important. In addition to the fact that we have access to all users of this resource, the functionality available to us has expanded .
Of course, I was instantly intrigued by the interface for executing arbitrary php commands (by the way, can someone explain to me why they need it at all on this resource?), Where I got almost unlimited possibilities for research (after all, this was done exclusively for scientific and educational purposes , you understand, yes?):
.
, , www . , /files/ 0777.
, , , , .
:
:
, .
090h .
, , .
.
The first thing I did was find the admin panel on b ***. Alfabank.ru using the same Google and plain “site: alfabank.ru inurl: / admin /”
And what did I see there?
')
A modest menu promised me PHPinfo () , site settings, and a lot more:
- Empty cache
- Function reference
- Hook_elements ()
- PHPinfo ()
- Rebuild menus
- Reinstall modules
- Session viewer
- Theme registry
- Variable editor
Already, my hands were editable site settings:
Rummaging around a bit with what I found, I noticed a mention about another subdomain (I don’t give you the names of the subdomains here for the reason you’ll read at the end of the post).
Again, by simple googling by the name of this subdomain, we get an issue in which we immediately find the user’s page by the last name m ***** kaya.
There (oh, a miracle!), A caring developer brought us the var_dump object, thanks to which we see the password hash: 1d0258c2440a8d19e716292b231e3190 .
Well, let's look for it in rainbow tables? And we find: password manager . Not too sophisticated, in my opinion, but at least not "love / secret / sex / god". Successfully log in: nm ***** kaya@alfabank.ru: manager .
Now we have the rights of a registered participant, a bank employee, and the admin site, which is important. In addition to the fact that we have access to all users of this resource, the functionality available to us has expanded .
Of course, I was instantly intrigued by the interface for executing arbitrary php commands (by the way, can someone explain to me why they need it at all on this resource?), Where I got almost unlimited possibilities for research (after all, this was done exclusively for scientific and educational purposes , you understand, yes?):
echo shell_exec('uname -a');
echo shell_exec('grep -r "password" /usr/ > /var/tmp/tst.log');
echo shell_exec('find / -type d -perm 07700');
echo shell_exec('cat /etc/passwd');
echo shell_exec('ifconfig');
echo shell_exec('ps auxww');
echo shell_exec('cat /usr/local/etc/apache22/Includes/phpmyadmin.conf');
echo shell_exec('which wget');
.
, , www . , /files/ 0777.
, , , , .
, "-"!
,
, , ,
.
:
shell ,
[ ], - "".
[site-coder]@ gmail.com.
:
...
login: [login]
pass: manager
php shell_exec('PROFIT').
, .
:
- devel , .
- , , .
- -, , .
- , , !
- , , , .
:
, .
! , , , .
.
, , , , – . , « » . , . , , , , .
!
PS «», . , , . , , . , , , , .
, .
090h .
, , .
.
Source: https://habr.com/ru/post/144439/
All Articles