Hello guys,
I came across a server with local file inclusion vulnerability. It on the following server www.cct-fortis[.]com.
Example of the LFI http://www.cct-fortis[.]com/getfiles.php?filename=../eng/index[.]php.
What I already tried and know:
- There is probably just one webapp running on the target IP.
- Only port 80/tcp.
- It's PHP webapp running on a Windows BOX with IIS/6.0
- Tried some exploits for IIS/6.0 (metasploit + searchsploit) but with no luck
- Downloaded lots of source code files
- There is admin section at targer/admin
- Got some creds from the config file, it using mysql db running on the localhost
- Tried to enumerat files and dirs but didn't find anything interesting
- Identified basedir of LFI as D:\LocalUser\cct-fortis/upload/
- I wasn't able to jump to the C: drive to read system files and get some LFI2RCE
- Going through source code I found that:
-- ../inc/config.inc.php - contains creds for the DB
-- ../admin/login.inc.php uses addslashes in the SQL query but I wan't able to bypass it using SQLi
-- Found a potential place for SQLi in ../eng/investor/announcements.php where year is controlled by user in POST but wan't able to exploit it because anything different than simple year number will not pass the in_array condition
I'm just a beginner trying to learn stuff not do any harm. I would be very interested if some would point me at what I'm missing or showed me a way how you pop a shell there if possible.
Here is the source code that I got from the server so far:
I came across a server with local file inclusion vulnerability. It on the following server www.cct-fortis[.]com.
Example of the LFI http://www.cct-fortis[.]com/getfiles.php?filename=../eng/index[.]php.
What I already tried and know:
- There is probably just one webapp running on the target IP.
- Only port 80/tcp.
- It's PHP webapp running on a Windows BOX with IIS/6.0
- Tried some exploits for IIS/6.0 (metasploit + searchsploit) but with no luck
- Downloaded lots of source code files
- There is admin section at targer/admin
- Got some creds from the config file, it using mysql db running on the localhost
- Tried to enumerat files and dirs but didn't find anything interesting
- Identified basedir of LFI as D:\LocalUser\cct-fortis/upload/
- I wasn't able to jump to the C: drive to read system files and get some LFI2RCE
- Going through source code I found that:
-- ../inc/config.inc.php - contains creds for the DB
-- ../admin/login.inc.php uses addslashes in the SQL query but I wan't able to bypass it using SQLi
PHP:
$sql = sprintf("SELECT count(1) FROM user WHERE login = \"%s\" AND password=\"%s\"",
addslashes($login),
addslashes($password)
PHP:
if (isset($_REQUEST['year']) && is_array($yearArray)) {
if (in_array($_REQUEST['year'], $yearArray)) {
$year = $_REQUEST['year'];
}
}
$stmt = sprintf("SELECT aprid, apr_title, pdflink, DATE_FORMAT(ptime,'%%d %%b %%Y') AS pdate
FROM %s
WHERE YEAR(ptime) = %d AND stat='active'
ORDER BY ptime DESC",
$tableName[$dbidx],
$year
);I'm just a beginner trying to learn stuff not do any harm. I would be very interested if some would point me at what I'm missing or showed me a way how you pop a shell there if possible.
Here is the source code that I got from the server so far: