customers-survey.marketing.pg
A virtual host / sub-domain, customers-survey.marketing.pg, was discovered in the old instance of the target website
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing]
└─$ curl -I -X OPTIONS http://customers-survey.marketing.pg/
HTTP/1.1 200 OK
Date: Tue, 01 Apr 2025 14:47:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: LS-EYFVWDSAKOIAECZM=1u2hsuebiel3au4qptcjt7926j; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing]
└─$ curl -I http://customers-survey.marketing.pg/
HTTP/1.1 200 OK
Date: Tue, 01 Apr 2025 14:47:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: LS-EYFVWDSAKOIAECZM=all1c3g38ut89mqfjvvknh6sak; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8/Practice/Marketing/2-Enumeration/attachments/Pasted-image-20250401164852.png)
Webroot
It’s hosting an instance of LimeSurvey
It also revealed the admin user
/Practice/Marketing/2-Enumeration/attachments/Pasted-image-20250401164928.png)
LimeSurvey (formerly PHPSurveyor) is a free and open source online statistical survey web app written in PHP using a MySQL, SQLite, PostgreSQL or MSSQL database, distributed under the GNU General Public License. Its web interface enables users to develop and publish online surveys, collect responses, review statistics, and export the resulting data to other applications.
Source code is available for review
Admin Page
/Practice/Marketing/2-Enumeration/attachments/{E0A9DABB-09AB-4828-936E-F20B4F717ED3}.png)
Navigating to the /admin endpoint redirected to /index.php/admin/authentication/sa/login
It’s a login page
Default/Weak Credential
/Practice/Marketing/2-Enumeration/attachments/{15CAAA4D-66D1-4C31-8E8A-FE552534AFEB}.png)
/Practice/Marketing/2-Enumeration/attachments/{7E5FBF12-A2C1-4401-AF8A-8DED51B8707E}.png)
Authenticated with admin:password
Version Information
/Practice/Marketing/2-Enumeration/attachments/{7AE2C802-81A7-4C1C-A4C6-0DBC001338D3}.png)
The version information is revealed at the bottom right; 5.3.24
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing]
└─$ searchsploit LimeSurvey
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
LimeSurvey (PHPSurveyor 1.91+ stable) - Blind SQL Injection | php/webapps/18508.txt
LimeSurvey (phpsurveyor) 1.49rc2 - Remote File Inclusion | php/webapps/4156.txt
LimeSurvey 1.52 - 'language.php' Remote File Inclusion | php/webapps/4544.txt
LimeSurvey 1.85+ - 'admin.php' Cross-Site Scripting | php/webapps/35787.txt
LimeSurvey 1.92+ build120620 - Multiple Vulnerabilities | php/webapps/19330.txt
LimeSurvey 2.00+ (build 131107) - Multiple Vulnerabilities | php/webapps/29789.txt
LimeSurvey 3.17.13 - Cross-Site Scripting | php/webapps/47386.txt
LimeSurvey 4.1.11 - 'File Manager' Path Traversal | php/webapps/48297.txt
LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting | php/webapps/48523.txt
LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting | php/webapps/48289.txt
LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting | php/webapps/48762.txt
LimeSurvey 5.2.4 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50573.py
LimeSurvey < 3.16 - Remote Code Execution | php/webapps/46634.py
LimeSurvey Community 5.3.32 - Stored XSS | php/webapps/51926.txt
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsIt would appear that the target instance is only vulnerable to a Stored XSS, given the version
There is a RCE exploit that targets the version 5.2.4, and it might still be viable