Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.
Cron
[root@insanityhosting cron]# ll
total 8.0K
0 drwx------. 2 root root 33 Aug 16 2020 .
4.0K -rw-------. 1 monitor monitor 60 Aug 16 2020 monitor
4.0K -rw-------. 1 root root 1 Aug 16 2020 root
0 drwxr-xr-x. 11 root root 133 Aug 16 2020 ..monitor Cronjob
[root@insanityhosting cron]# cat monitor
* * * * * /usr/bin/php -q /var/www/html/monitoring/cron.phpExecute /var/www/html/monitoring/cron.php, every minute
/var/www/html/monitoring/cron.php
[root@insanityhosting cron]# cat /var/www/html/monitoring/cron.php
<?php
require_once('class/ping.php');
use JJG\Ping as Ping;
require_once('settings/config.php');
require_once('class/database.php');
$sqlString = "SELECT * FROM monitoring.hosts INNER JOIN monitoring.users ON monitoring.hosts.userID = monitoring.users.id";
$currentdb = new database($databaseName, $databaseServer, $databaseUsername,
$databasePassword);
$row = $currentdb->constructQuery($sqlString)
->bind(1, $currentUser->userID)
->resultset();
foreach($row as $result) {
$host = $result["ipAddress"];
$status = 0;
if (filter_var($host, FILTER_VALIDATE_IP)) {
$ping = new Ping($host, 255, 1);
$currentTime = date('Y-m-d H:i:s');
$latency = $ping->ping();
if ($latency !== false) {
// Host is up
$status = 1;
} else {
$status = 0;
}
}
$sqlString = "INSERT INTO log (name, dateTime, status) VALUES (?,?,?)";
if ($currentdb->constructQuery($sqlString)
->bind(1, $result["name"])
->bind(2, $currentTime)
->bind(3, $status)
->execute()) {
};
if ($status == 0) {
$sqlString = "SELECT * FROM monitoring.log WHERE name = \"" . $result["name"] . "\"";
$rows = $currentdb->constructQuery($sqlString)
->resultset();
if (count($rows) > 0) {
$output = fopen('php://temp/maxmemory:'. (5*1024*1024), 'r+');
foreach($rows as $res) {
fputcsv($output, $res);
}
rewind($output);
$output = stream_get_contents($output);
$output = "ID, Host, Date Time, Status\r\n" . $output;
$data = $result["name"] . " is down. Please check the report below for more information.";
mail($result["email"], "WARNING", $data . "\r\n\r\n" . $output);
}
}
}
?>Vulnerable to SQLi
root Cronjob
[root@insanityhosting cron]# cat root
Empty