A friend of a friend wanted to see whether or not his site was secure.
Step 1) ZAP
Run automated scans using ZAP 2.7.0
Oh, hello there :)
It seems that there’s a PHP file that allows to download PDFs, but it also allows us to traverse paths in the server to download PHP files. If we’re lucky we can get all sorts of juicy data such as database credentials.
Step 2) Getting files
Let’s try.
redacted.com/dl.php?pdf=../index.php
Ok, that was incredibly easy. I have successfully downloaded the index.php file where all the magic happens.
Now we just need to locate the file with the database credentials, this might be a clue:
Let’s send a new request:
redacted.com/dl.php?pdf=../admin/db_requete.php.php
We found that the site is SQL injectable, even though they are using adslashes(), it doesn’t protect against an attack, because:
If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you’re using addslashes(), however, I’m in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That’s because 0xbf5c is interpreted as a single character
But we want more, since we’re browsing the files we can just get passwords and compromise everything.
Let’s find myConnexion.php
redacted.com/dl.php?pdf=../admin/myConnexion.php
Too easy
If those are correct, I should be able to enter
Step 3) Entering the mysql server
let’s try:
And there we have it. From here I can persist anything I want to do malicious stuff to users, and since none of the passwords are hashed I can clearly see what they are. And, if they use the same passwords for other services, I could theoretically take control of email, social accounts, etc. But this where I end it.
Long story short, the site wasn’t safe.