a friend of mine gave me a kind of security test - he wants me to hack his box through a vulnerable web page.I win if I am able to make a folder in a writable directory called "skiddie" and eventually gain root privileges and make a folder in another directory.I found that the site is vulnerable to a sql injection:
hxxp://*****.com/poll.php?id=1 union select null,null,"test",null–
And the website returns the word "test".Insted of "test" I tried:
database() - joomla
user() - root@localhost
@@datadir - /var/lib/mysql/
@@version - 5.0.75-1
I was also able to extract the admin username and password,but I can’t crack the hash.The first thing that came to my mind was to use null,"php code" into outfile "/var/www/",but it doesn’t work.It seems I don’t have privileges to write in "/var/www" also do not know the directory where the website is - "/var/www/DIR?".Can you give me a hint how to proceed?
Edited by FestarBG, 16 April 2009 - 04:13 PM.