http [Initial Access]
Looking at ports
At port 80
Login page. Tried Authentical bypass but didn't work. I also tried Blind SQLi But didn't work.
At port 8080
Default installation page of Tomcat.
At port 3305
Looking At hidden directory
At port 80 and 8080
I found that there is ZoneMinder installed.
On visititng this page. I can see the console of ZoneMinder with version numer.
Doing google search revealed that it is vulnerable to XXS and SQLi.
First it tried XXS.
As suggested in Exploit, then I tried SQLi. and this also worked and gave me data in JSON
We can beutify this data.
And when I look at this data. I found that my XXS is stored in logs. This means this is stored XXS.
Tried XXS to RCE
Not worked.
Trying SQLi
Then I tried SQLi.
It gave me Log file data. That means it worked
Looking for other hidden directory
Then I searched for look hidden directory.
Looking at this i came to know about CakePHP api which is installed there.
At the end, I found SQL Query also.
I will try SQLi on these query.
Query one:
SQLi Payload from ZM exploit.
Combing the exploit.
Tried No CSRF Proctection
Trying SQLi to RCE:
Command mentioned in an exploit to Zoneminder:
SQLi Command:
Above is working command and have been tested.
Make RCE payload using SQLi Command:
I will modify this command.
Didn't work
From error it is clear that file is not found at the root directory. Reason for this can be that file is not created using our SQLI command.
Encode this and try:
Looks like the SQLi has worked!!
But again unable to get the file.
Working
Doing an online search, I came to know how to make payload. I will replace only select part with my payload keeping other things the same.
original payload:
I will capture the request in burp suite and run the payload:
It hangs for 20 sec. This means it is working.
let me replace the select statement of SQL with my backdoor.
Final command:
Testing it on port 3305.
Let's try to get the shell directly.
It worked.
Stabilize the shell.
Last updated
Was this helpful?