Hacking CMS/Django

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Hacking CMS/Django

Post by Lynxu on Wed Oct 31, 2012 1:39 pm
([msg=70517]see Hacking CMS/Django[/msg])

Hello,

I currently work on project connected to penetration testing on university. The first 'test' page before real testing is some Django site (the last release of Django is implemented). I think that they left on purpouse debug option to give me some informations. How should I start trying to break in? I mean this is CMS at all, so it looks like I should find new vulnureable in such complex system that many wiser than me secured? Where to look for security holes? I think there's no public 0days on Django 1.4.1 on Internet, so where and what should I look for?

Thanks,
L.
Lynxu
New User
New User
 
Posts: 2
Joined: Wed Oct 31, 2012 1:34 pm
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by hellow533 on Wed Oct 31, 2012 2:59 pm
([msg=70519]see Re: Hacking CMS/Django[/msg])

Can you be more specific?
“True hacking is like skydiving, you want to make sure you have arms, because nobody’s going to be there to pull the chute for you.”
User avatar
hellow533
Poster
Poster
 
Posts: 486
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by Acidiferous on Wed Oct 31, 2012 4:40 pm
([msg=70520]see Re: Hacking CMS/Django[/msg])

Hi,

Have you ever seen the backend of the cms? I think that when you find a system you dont know mutch about, it is allwayes a good start to try and configure it your selfe.

Saying that its secured by people wiser than you, is not a good start. Remember that they have to think about every security flaw and you just have to find the one they missed.
I can see that the latest version is 1.4.2 so mayby you should read the bug fixes for that version.
A quick look around the site gave me an interesting header, mayby you can use it and follow up on it.

https://www.djangoproject.com/weblog/2012/oct/17/security/

As people normaly say on this forum, post a link to the site and a message in the source or something. Then we can try it out, and help you with a more specific solution. Maybe.
Acidiferous
Experienced User
Experienced User
 
Posts: 61
Joined: Tue Mar 29, 2011 9:49 am
Location: Europe
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by Lynxu on Thu Nov 01, 2012 2:37 am
([msg=70522]see Re: Hacking CMS/Django[/msg])

Hi,

Saying that its secured by people wiser than you, is not a good start. Remember that they have to think about every security flaw and you just have to find the one they missed.

Yeah, yeah, I heard that already, however I meant that generally those security flaws are pretty advanced and pretty valuable on the Internet once they are found.

But on topic: the site is http://149.156.114.13/ and the clue I found is dead link, that goes to http://149.156.114.13/crowdsourcing/tyg ... cz/report/. Plenty of informations there I think. I also found the admin panel (standard http://149.156.114.13/admin/) and version of server program (http://149.156.114.13/index.html). I think abous using nmap to get some more info at the moment. I may also try to crack into server itselt (remote exploit?), because it's all on my Department's machines and I have their blessing on every test that's necessary. So which information I should consider most useful?

Edit: Ow, sorry, I forgot about the message in source code. I will write to a person responsible for giving me that task and i hope that the propoer line will appear in site's source about next week (today and tommorow are holydays in PL). But other thing is that I don't want you to break in for me - I want to do it by myself (at least I have to learn it if I really want to do some serious pentesting in future), I would be grateful for piece of advice about starting.

Edit: Ok, the entry in site's source (informing about approval to pentesting for Marcin Jekot - that's me) should appear tommorow or the day after. Will anybody help with getting into it? I also was informed that debugging was turned off - fortunetely, I downloaded the site with output before that, so informations from it are still avaliable.

-- Wed Nov 07, 2012 5:35 pm --

Okay, I want to announce that the comment in source appeared - line 9 on main page. Debugging was also turned off, but I downloaded the site with results before - if anybody want to help I may provide some details on configuration. Anyone will help me a bit to start?
I have also read about some flaws in django from those slides: http://www.levigross.com/post/877653676 ... -and-rails but not sure how to exploit them...
Lynxu
New User
New User
 
Posts: 2
Joined: Wed Oct 31, 2012 1:34 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests