tag:blogger.com,1999:blog-7011836621605765499.post3396205646451362081..comments2022-10-26T05:07:58.844-07:00Comments on balidani: CSAW'14 - 'Fluffy No More' writeupbalidanihttp://www.blogger.com/profile/05810943104283312084noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7011836621605765499.post-26568503099219241142014-09-25T08:19:39.937-07:002014-09-25T08:19:39.937-07:00That's interesting. I did not see the file, af...That's interesting. I did not see the file, after I got the flag I stopped looking around. I also saw a lot of suspicious log entries. The ones you pasted look like somebody is probing for SQLi. I saw a lot of probing as well, trying to find LFI for example. I did not find the actual exploit, and the logs were huge, so I moved to another file at that point.balidanihttps://www.blogger.com/profile/05810943104283312084noreply@blogger.comtag:blogger.com,1999:blog-7011836621605765499.post-76486342671380265192014-09-24T21:49:00.844-07:002014-09-24T21:49:00.844-07:00Cool. Thanks. Did you notice the file \var\www\htm...Cool. Thanks. Did you notice the file \var\www\html\wp-content\uploads\wysija\themes\weblizer\template.php ?<br />Do you know what that's about? It appears to me like they got rooted and they were able to install weevely. <br /><br />What do you think? How do you think they got rooted?<br /><br />There are a lot of entries in the apache log file suggesting an attack:<br /><br />192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=1+or+sleep%287%29%23 HTTP/1.1" 301 422 "-" "Python-httplib2/0.7.4 (gzip)"<br />192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22+or+sleep%287%29%23 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"<br />192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27+or+sleep%287%29%23 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"<br />192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%22+or+sleep%287%29%3D%22 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"<br />192.168.127.137 - - [16/Sep/2014:14:41:08 +0000] "GET /?page_id=%27+or+sleep%287%29%3D%27 HTTP/1.1" 200 2852 "-" "Python-httplib2/0.7.4 (gzip)"<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7011836621605765499.post-85426814023232028212014-09-24T17:56:32.747-07:002014-09-24T17:56:32.747-07:00 qpdf -qdf announcement.pdf result.pdf qpdf -qdf announcement.pdf result.pdfbalidanihttps://www.blogger.com/profile/05810943104283312084noreply@blogger.comtag:blogger.com,1999:blog-7011836621605765499.post-25687413710313624832014-09-24T17:23:04.395-07:002014-09-24T17:23:04.395-07:00I've tried to use qpdf but I've been unabl...I've tried to use qpdf but I've been unable to make it work. Can you share the exact commands you used with it?Anonymousnoreply@blogger.com