This time we will start here:
When your VM is ready, login in as an admin (in case of Bitnami VMs it will probably be 'user'). There you will will be able to create new users. I started from user 'tester' with 'no permissions':
Let's try to find if there are any bugs when (1st 'normal') user ('tester') is logged-in:
As you can see (in default Bitnami's installation) for 'registered user with no perms' there is only one available link to use - 'Email templates'. Let's try it:
Quick results:
Next I created new user: tester2. This time I added few permissions, see below:
Ok, our user 'can do' something now. ;) Let's try to personalize our profile a little bit:
' > " > < h 1 > < marquee >XSS or not?< h1 > < / marquee >
(just remove ' ' ;))
I believe it's personalised now. ;]
Next (checking response in Burp):
Checking:
As you can see (grep above) we should be able to get those bugs from 'admin user logged-in', so it's time to switch. Checking:
Response:
So for now vulnerable parameters are: joinfiles, topic, code.
In case you're looking for nice Referer - this one should be good:
Response in Burp:
Response in the browser:
Yep. :)
But when we're talking about the admin-access we should mention about one nice thing - modules. :)
I believe you're already pretty familiar with what will happen next ;) - so here we go:
As you can see 'admin user' is able to upload/add new module. To do that (with Bitnami) you'll need to add write perms to the location mentioned in the screen below:
When it's done - we can continue. Next:
Next:
Last thing to find is the location of our webshell:
Ok, that should be easy:
I think that's all. ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz