From administrator to SuperUser Joomla <= 3.6.4

Problem: during a penetration test i faced a buggy Joomla installation. Joomla version was 3.6.4 and was vulnerable to  CVE-2016-8869  . I created an administration account using metasploit module but wait !?

I couldn’t upload a WebShell . i used .pht method with no luck . i had no access to template source files.

template_unprivileged.PNG

Continue reading “From administrator to SuperUser Joomla <= 3.6.4”

SensePost reGeorg Script Basic Authentication

Few weeks ago when i was performing a penetration test on one of our clients network , i wanted to use reGeorg script ( from SensePost )  for setting up a SOCKS proxy on target web server but i encountered a problem.  The writable folder that i uploaded tunnel.aspx file was behind a basic authentication! Continue reading “SensePost reGeorg Script Basic Authentication”