Exploitation

We know we have access to admin login, we know we can upload a php file and access at a particular location.

Login Credentials

For the login page, chances are that the page has default credentials. nibbles/nibbles, admin/nibbles,admin/password, admin/admin...etc

Successful login with admin/nibbles

Exploitation: PHP file upload

Based on our earlier enumeration, we are able to upload files that ARE NOT Images on nibblesblog 4.0.3. This is located on the plugins/images settings.

Image upload settings.

Uploading Reverse PHP shell and Information Disclosure

After uploading a php shell, a user is displayed with information that should not be visible.

After the shell is uploaded and our listener is set up on the proper port, we get a reverse connection when we access /content/private/plugins/my_image/image.php

Successful shell access as user nibbles

Note:

  • Page could have a lockout mechanism, be careful with brute force as this can lock you out.

PreviousScanning and EnumerationNextPost Exploitation

Last updated

Was this helpful?