FreeLancer - Hackthebox Write up - Web SQL injection

0x00 Problem:

0x01 Check the vulnerability

We open the website, there is a login form, it might be SQL injection, LDAP injection or XSS. 

 

Then we can check the source file to find if there is any vulnerability. Luckily we found a file named portfolio.php, and it has an id parameter. 


I tried to open this file with id=1 in the web browser. It returns a picture and some words.

Then I change id to other numbers, it also returns to different words. So it might have SQL injection vulnerability.

0x02 Find the database and table

Here is my payload to check the database:

sqlmap -u http://178.62.0.100:32104/portfolio.php?id=2 -dbs

Below is the result: 

The first red box shows it truly has SQL injection vulnerability and give us the test payload which we can exploit.

The second red box shows the database we found.

0x03 Dump the data 

Here is my payload, we choose freelance as our target database:


sqlmap -u http://178.62.0.100:32104/portfolio.php?id=2 --dump -D freelancer

The result shows a table name as safeadmin, the password looks like a blowfish hash., I tried to reverse the password, but no result found.

The second table shows there 3 queries in the table. 

0x04 Find target file

Base on the test payload SQLmap give us before. We can try to use 'Union' to execute the command. But we don't know what files in it has.

Then we can scan to find it.

dirb  http://178.62.0.100:32104 


We find a directory names 'administrat'

Then we open it on the website. We know we have a user 'safeadmin', but we don't know the password.


This method seems no further process for me.

Remember we have SQL injection payload before?


Then I tried some command to do execute. 'load_files' can work!

We know that apache has a default config file: 

/etc/apache2/sites-enabled/000-default.conf

Then we can make a payload to test it.

http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/etc/apache2/sites-enabled/000-default.conf"),3-- 

It works! Here is the result:


0x05 Find the flag:


We can still scan again to find any interesting file on the website.

gobuster dir -u http://178.62.0.100:32104/administrat/ -x php -w /usr/share/wordlists/dirb/common.txt 
 
Here is the result, we can find a panel.php file.
So we can load it to see if there are any interesting things.


http://178.62.0.100:32104/portfolio.php?id=1 union all select 1,load_file("/var/www/html/administrat/panel.php),3-- 

Then we get the flag!




























Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more