Show Posts
1
Hacking and Security / How do i get into this one?
« on: November 30, 2013, 04:00:24 pm »
Okay guys first thing first.. i'm a noob and i'm not a hacker. My college ERP software is made up of JSP and runs on apache tomcat server. The admin login page form has not validated. So I successfully bypassed it by using XPATH injection (sql injection for xml databases). Wait theres more.. the servers ssh port is open!! 
If I can do the xpath injectoin i.e.
[size=78%] [/size]
it means I can run this one too..
My plan is to add a new user and connecting the server through ssh.. and the problem is it is not working..
Thanks in advance
If I can do the xpath injectoin i.e.
[size=78%] [/size]
Code: [Select]
user: admin' and 1=1 or ''='
pass: somestringit means I can run this one too..
Code: [Select]
user: admin' and Runtime.getRuntime().exec("useradd hawkeye; passwd hawkeye password") or 1=1 or ''='
pass: somestring
My plan is to add a new user and connecting the server through ssh.. and the problem is it is not working..
Thanks in advance