Your SlideShare is downloading. ×
  • Like
  • Save
Privilege Escalation And Misconfigurations Part2
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Privilege Escalation And Misconfigurations Part2

  • 1,128 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,128
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privilege Escalation And Misconfigurations
  • 2. Nothing but a login
  • 3. Links to javascript files in the HTML <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-init.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-writevb.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-main.js &quot;></SCRIPT> <SCRIPT LANGUAGE=&quot;JavaScript&quot; type=&quot;text/javascript&quot; src=&quot; includes/scripts/fpi-swap.js &quot;></SCRIPT>
  • 4. Grab the source of the javascript files
  • 5. Analyze the source for anything interesting
  • 6. Found admin URL’s
  • 7. Paste this into the browser and click send
    • https://www.site.com/Secure/Admin/AdminNewUser.aspx?user_id=spidynamics&pwd=pass
  • 8. A 302 to an inside page
    • HTTP/1.1 302 Object moved
    • Server: Microsoft-IIS/5.0
    • X-Powered-By: ASP.NET
    • Location: /Secure/ViewSystemMessage.aspx?id=47
  • 9. A 302 back to the login
    • HTTP/1.1 302 Object moved
    • Server: Microsoft-IIS/5.0
    • X-Powered-By: ASP.NET
    • Location: /Logon.aspx
  • 10. Back at the login
  • 11. Let’s see if our login exists
  • 12. Welcome user SPIDynamics
  • 13. Let’s try accessing the admin functions
    • https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=spidynamics
  • 14. Returns an Error
  • 15. Use an integer instead of a string
    • https://www.site.com/Secure/Admin/AdminUserProgramRole.aspx?uid=2
  • 16. Welcome Admin
    • UID field cycles thru each user
  • 17. Ability to view all users
    • UID 3 is now another user
  • 18. Here we are
    • By incrementing the UID field to 183 – we identified our user id.
  • 19. I feel like being an administrator today
    • Clicking ‘Edit’ allowed us to set our user role to administrator
  • 20. Feels good to be an admin
  • 21. Where is the main admin page?
  • 22. Start Guessing
    • Admin.asp
    • Default.asp
    • Administrator.asp
    • Admin.aspx etc…
  • 23. The existing admin links
    • /Secure/Admin/AdminEditUser.aspx
    • /Secure/Admin/AdminNewUser.aspx
    • /Secure/Admin/AdminUserProgramRole.aspx
    • /Secure/Admin/AdminChangePassword.aspx
  • 24. Success
  • 25. Maybe Not.
  • 26. Start Guessing
  • 27. The existing admin links
    • /Secure/Admin/AdminEditUser.aspx
    • /Secure/Admin/AdminNewUser.aspx
    • /Secure/Admin/AdminUserProgramRole.aspx
    • /Secure/Admin/AdminChangePassword.aspx
  • 28. Success – About Time