Similar to previous notes about hunting bugs in Centreon few weeks ago I prepared a new lab to test 'current/latest' version of this webapp. Below you'll find the details. Here we go...
This time we'll start here:
Preparing the Lab:
- Centreon 'latest' version I used this time was: centreon-vbox-vm-23_10-1.el8.zip.
- Attacker box was: Kali VM
- Burp Suite (free version will be fine)
- sqlmap
Quick Blackbox testing:
Just like during few other 'testing cases' already described on the blog when lab was prepared I started a "normal blackbox" pentest.
After a while with Burp (logged-in as an admin user) I was able to inject additional HTML/JS code. This way I was able to identify XSS bug in this webapp:
Preparing our request (parameter: metric):
Response is presented below:
Checking results:
Modifying our request to inject JS code:
Checking results:
At this stage I continued my journey with Burp and Centreon and after a while I decided to put one of the requests as an input.txt for sqlmap. Full request with vulnerable parameter is presented below:
With few 'errors' (related to used payload) I decided to grab the source and check for some more details about the bug:
More source:
When you'll try to use the request presented above with sqlmap as an input - after few minutes you should have a similar result that is presented on the screen below:
Remember to use it during your legal pentests! ;)
Let me know in the comments what do you think about it.
If you like the content of this blog - feel free to share and subscribe.
In case of any questions - you know how to find me. ;)
Cheers
Brak komentarzy:
Prześlij komentarz