Pages: [1]

Author Topic: How do i get into this one?  (Read 818 times)

0 Members and 2 Guests are viewing this topic.

Offline nmabhinandan

  • NULL
  • Posts: 2
  • Cookies: -2
  • Noob
    • View Profile
How do i get into this one?
« on: November 30, 2013, 04:00:24 pm »
Okay guys first thing first.. i'm a noob and i'm not a hacker. My college ERP software is made up of JSP and runs on apache tomcat server. The admin login page form has not validated. So I successfully bypassed it by using XPATH injection (sql injection for xml databases). Wait theres more.. the servers ssh port is open!!  ;D 


If I can do the  xpath injectoin i.e.
[size=78%] [/size]
Code: [Select]
user: admin' and 1=1 or ''='
pass: somestring


it means I can run this one too.. 
Code: [Select]
user: admin' and Runtime.getRuntime().exec("useradd hawkeye; passwd hawkeye password") or 1=1 or ''='
pass: somestring



My plan is to add a new user and connecting the server through ssh.. and the problem is it is not working..  :-\


Thanks in advance



Report to moderator   Logged

Offline Pak_Track

  • Royal Highness
  • ****
  • Posts: 762
  • Cookies: 69
  • Paratrooper
    • View Profile
    • My Home
Re: How do i get into this one?
« Reply #1 on: November 30, 2013, 05:22:36 pm »
Quote from: nmabhinandan on November 30, 2013, 04:00:24 pm
the problem is it is not working..

That's going to my signature :P
Report to moderator   Logged

'Life is but a series of conflicts between the easy way and the right way.'
The more you know, the more you'll realize you know nothing. -Snayler
The problem with being a smart motherfucker is that sometimes the stupid motherfuckers think you're a crazy motherfucker.
dont u hate it when you offer help and the other person says yes -Pakalu Papito

Z3R0

  • Guest
Re: How do i get into this one?
« Reply #2 on: November 30, 2013, 07:06:31 pm »
Tomcat, mysql, and ssh are three different services. They do not all share a magical master database. If you want to take over that box, you will have to attack each of those services individually.

For example, find a sql injection vulnerability through tomcat, and get a sql shell. If the user running the sql server is a database admin, then you will have to check that user's file privileges (select file_priv from mysql.user). If you can read files, then look up the /etc/passwd file (load_file('/etc/passwd'), and look for system users. From there, look through the users' home directories and hope some of them have ssh logins. If they do, their private key will be in /home/someuser/.ssh/id_rsa

Then, replace your private key with the private key of the user, and you can ssh into the box without having to know the user's password. Come on dude, 3rd graders know this stuff.

I give this attack scenario because you are far more likely to have read privileges than you ever will compared to write privileges.

EDIT: and make an introduction before asking us for attack methodologies!
« Last Edit: November 30, 2013, 07:10:03 pm by m0rph »
Report to moderator   Logged

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: How do i get into this one?
« Reply #3 on: December 01, 2013, 03:59:52 am »
Quote from: m0rph on November 30, 2013, 07:06:31 pm
Come on dude, 3rd graders know this stuff.
Lol dick
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python
Pages: [1]