Hacking CMS/Django

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

Hacking CMS/Django

Post by Lynxu on Wed Oct 31, 2012 1:39 pm
([msg=70517]see Hacking CMS/Django[/msg])

Hello,

I currently work on project connected to penetration testing on university. The first 'test' page before real testing is some Django site (the last release of Django is implemented). I think that they left on purpouse debug option to give me some informations. How should I start trying to break in? I mean this is CMS at all, so it looks like I should find new vulnureable in such complex system that many wiser than me secured? Where to look for security holes? I think there's no public 0days on Django 1.4.1 on Internet, so where and what should I look for?

Thanks,
L.
Lynxu
New User
New User
 
Posts: 2
Joined: Wed Oct 31, 2012 1:34 pm
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by hellow533 on Wed Oct 31, 2012 2:59 pm
([msg=70519]see Re: Hacking CMS/Django[/msg])

Can you be more specific?
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by Acidiferous on Wed Oct 31, 2012 4:40 pm
([msg=70520]see Re: Hacking CMS/Django[/msg])

Hi,

Have you ever seen the backend of the cms? I think that when you find a system you dont know mutch about, it is allwayes a good start to try and configure it your selfe.

Saying that its secured by people wiser than you, is not a good start. Remember that they have to think about every security flaw and you just have to find the one they missed.
I can see that the latest version is 1.4.2 so mayby you should read the bug fixes for that version.
A quick look around the site gave me an interesting header, mayby you can use it and follow up on it.

https://www.djangoproject.com/weblog/2012/oct/17/security/

As people normaly say on this forum, post a link to the site and a message in the source or something. Then we can try it out, and help you with a more specific solution. Maybe.
Acidiferous
Experienced User
Experienced User
 
Posts: 61
Joined: Tue Mar 29, 2011 9:49 am
Location: Europe
Blog: View Blog (0)


Re: Hacking CMS/Django

Post by Lynxu on Thu Nov 01, 2012 2:37 am
([msg=70522]see Re: Hacking CMS/Django[/msg])

Hi,

Saying that its secured by people wiser than you, is not a good start. Remember that they have to think about every security flaw and you just have to find the one they missed.

Yeah, yeah, I heard that already, however I meant that generally those security flaws are pretty advanced and pretty valuable on the Internet once they are found.

But on topic: the site is http://149.156.114.13/ and the clue I found is dead link, that goes to http://149.156.114.13/crowdsourcing/tyg ... cz/report/. Plenty of informations there I think. I also found the admin panel (standard http://149.156.114.13/admin/) and version of server program (http://149.156.114.13/index.html). I think abous using nmap to get some more info at the moment. I may also try to crack into server itselt (remote exploit?), because it's all on my Department's machines and I have their blessing on every test that's necessary. So which information I should consider most useful?

Edit: Ow, sorry, I forgot about the message in source code. I will write to a person responsible for giving me that task and i hope that the propoer line will appear in site's source about next week (today and tommorow are holydays in PL). But other thing is that I don't want you to break in for me - I want to do it by myself (at least I have to learn it if I really want to do some serious pentesting in future), I would be grateful for piece of advice about starting.

Edit: Ok, the entry in site's source (informing about approval to pentesting for Marcin Jekot - that's me) should appear tommorow or the day after. Will anybody help with getting into it? I also was informed that debugging was turned off - fortunetely, I downloaded the site with output before that, so informations from it are still avaliable.

-- Wed Nov 07, 2012 5:35 pm --

Okay, I want to announce that the comment in source appeared - line 9 on main page. Debugging was also turned off, but I downloaded the site with results before - if anybody want to help I may provide some details on configuration. Anyone will help me a bit to start?
I have also read about some flaws in django from those slides: http://www.levigross.com/post/877653676 ... -and-rails but not sure how to exploit them...
Lynxu
New User
New User
 
Posts: 2
Joined: Wed Oct 31, 2012 1:34 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests