Magic
SQL injection, PHP reverse shell upload, mysqldump and PATH injection
Enumeration
As always, let's start with an nmap
:
Only ports 22
and 80
. Add magic.htb
to your /etc/hosts
and let's check out the website.
HTTP
There's definitely a lot going on. By analysing the source we can see some images are in the images/uploads/
folder, which is useful for later. Let's click the Login
button at the bottom left.
First thing's first, let's try the default admin:admin
. We get told it's invalid.
Now we can mess with the input to test for SQL injection. Tampering with a payload such as '<>:32;4#::!@$":'
doesn't tell us it's invalid; perhaps it's having an affect?
If we try a basic payload such as admin'#
, what happens? The logic here is it logs in with the username admin
and comments out the password check to always successfully log us in, essentially making it
Success!
Last updated