A month or so ago my website was hacked. My host doesnt keep very good logs, so I don't know what specifically was accessed. The hacker claimed in our IRC that he used some kind of RCE (remote code execution) but refused to elaborate. Whatever he did, he uploaded an obfuscated php script to the site and assumed control of the database where he then made himself an admin user on the site.
The framework I use is called kusaba, version 0.9.3. The previous versions have had several reported exploits, which were patched in this release.
Well, one site, written in Spanish, talked of an exploit (below), but I can't make it work unless I am doing it w
https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fvammm.wordpress.com%2F2012%2F09%2F07%2Fkusaba-x-0-9-3-0day-xss%2F&edit-text=&act=url
I posted the given code into an html doc, inside script tags, and accessed the page online. Nothing. Tried accessing the direct link, below, which also does nothing.
http://postherwin.com/threadwatch.php?o=addthread&board=\%27%29%3B%22%3E%3C%2Fa%3E%3Cscript%3Ealert%28document.cookie%29%3B%2F*a*%2F%3C%2Fscript%3E%3C!--
Given the parameters above, how was he able to upload the shell? How can I prevent it?
document.cookie
for users using that URL (with the session ID), which was then used to impersonate that user (session fixation) and apparently gain access to your system (including filesystem). – Jared Farrish