I was playing around with Bootstrap CSS and I had an idea for creating a few different types of logins that all appeared the same but were different.  In the end, I created four different logins and I go into how to bypass them.  Or in the case of one of them, why you can't bypass it. 

    In the first example, we have a PHP login form that has the credentials baked into the PHP. 

    Viewing the UI, we see:


    If your background is development, it's natural to look at pages, code, errors, etc., with a different eye than those of us who come from another avenue.  When I see a url that looks something like: 

    /id=1

    I just automatically assume it's SQL.  The first thing we'll do is insert a single quote to break the SQL statement in hopes that it will throw an error. 


    It's pretty rare for me to find MSSQL injections and when I do, I have to dig through my notes to find the differences between MSSQL and MySQL.  If you search for MSSQL vulnerable applications, you don't really find anything.  On the flip side, do the same for MySQL and you'll find all the Damn Vulnerable stuff plus a bunch of others.  Not to mention the numerous legitimate applications with vulnerabilities. 

    Anyway, so I was playing around and in my typical enumeration, I start off with Nmap:


    I was looking up information on .htaccess and .htpasswd when I came across a link that described how to leverage .htaccess for persistence with a backdoor.  It piqued my curiosity but after playing around with it for a few minutes, I couldn't get it to work.  I did some Googling and I still couldn't figure out whether or not the post had old information, was incorrect, or what.  But then after thinking about it, I realized, it was far too complicated for what we're really trying to accomplish. 

    Odds are pretty good that someone is going to dig through their .htaccess file sooner than say some random .txt file that ends up in the webroot after install.  So let's go that route. 


    According to the documentation:  "str_replaceReplace all occurrences of the search string with the replacement string"

    I seem to recall bypassing this some time ago or maybe something similar.  If I recall you could double up on parts, get the replacement to remove parts and end up with what you want.  What you see below came from something else but I pulled it over to my machine because I was trying to figure out if I could get code execution.


    The description states:  "This boot to root VM is designed for testing your pentesting skills and concepts. It consists of some well known things but it encourages you to use the functionalities rather than vulnerabilities of target."

    Another box from my new favorite author.  What I like about this one is that you can get lost in the amount of avenues but if we focus on enumeration right from the start, all false avenues can be avoided.

    We kick off with Nmap:


    Page 4 of 55

    © 2020 sevenlayers.com