Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Shells and xss


ghost's Avatar
0 0

I setup a website with Invision Power Board 1.3 Final, which is known to have a variety of vulnerabilities. From SQL injections to path disclosure. I remember doing a challenge here where I changed a php action in a url.. ?=.. and I changed it to another site with a php shell (r57) uploaded to it. How could I do this to the one I setup on the website. I cant seem to remember or find anything using 1.3 final using a shell.


spyware's Avatar
Banned
0 0

grep for /include($_GET/.


ghost's Avatar
0 0

chronicburst wrote: I setup a website with Invision Power Board 1.3 Final, which is known to have a variety of vulnerabilities. From SQL injections to path disclosure. I remember doing a challenge here where I changed a php action in a url.. ?=.. and I changed it to another site with a php shell (r57) uploaded to it. How could I do this to the one I setup on the website. I cant seem to remember or find anything using 1.3 final using a shell.

What your reffering to Remote File Inclusion. Google it. You can find articles with examples etc.


ghost's Avatar
0 0

Yea RFI, I was wondering if I could do RFI through some sort of javascript injection, redirect or something. I can't seem to find anything on rooting with xss. Thats my intention.


ghost's Avatar
0 0

RFI can NOT be done through javascript injection. And the farthest "rooting" through xss that im aware you can do is ganking admin cookies ,sessions etc.


ghost's Avatar
0 0

Yea I used a perl script to exploit IPB 1.3 but when I entered the values incorrectly it returned that the cookie=00000000000000000000000000, where as when I typed it correctly it returned "Not Vulnerable." I also have the photo upload blocked so there can't be a file uploaded, like a shell from what I was reading earlier today. Not something I have to do though, just experimenting. Not that I want to fail this task. Well off to do some more learning.


ghost's Avatar
0 0

chronicburst wrote: Yea I used a perl script to exploit IPB 1.3 but when I entered the values incorrectly it returned that the cookie=00000000000000000000000000, where as when I typed it correctly it returned "Not Vulnerable." I also have the photo upload blocked so there can't be a file uploaded, like a shell from what I was reading earlier today. Not something I have to do though, just experimenting. Not that I want to fail this task. Well off to do some more learning.

You blocked image files completely? I'd say blocking image files and script files directly out of an upload / sharing site just ruins the whole point of the site. (i guess unless you wanted to share an article, but other than that… Best bet is to allow code submissions too and stuff like that but make sure everything uploaded doesn't set to execute on the server but perhaps is converted to txt or somehow filtered from running on server. I know other sites that do it but im not quite sure the code you would use for it, my PHP+MySQL skills are lame :p