Hi guys,
I’m in the last step of the skill assesment but i dont succeed in the log poisoning of the admin panel. When im poisoning the log access, the response when i modify the user-agent with a shell, its buged i think.
@TreKar, Take a look at your webshell. I think that is where your issue lies. Its been a long time since I did that exercise so I cannot be 100% certain. But the use of apostrophes " looks wrong.
"<?php system($_GET["cmd"]); ?>"
If you are going to use " to surround the cmd variable, then use single ' apostrophes on the outside. I was looking in on the log poisoning section too, they don’t use any surrounding " at all.
Hope that helps!!
-onthesauce
Yes, i attempted before with the common PHP Shell payload, and after i attempt with the single quote, that i saw in another page. I Will attempt again with the payload of double quotes.
Here a screenshot.
It gets “buged” and doesnt give more responds after that, and i dont know why
@TreKar Alright, I just booted it up and took a look. I followed the Log Poisoning Section exactly and got results just fine.
Looking at your two screen shots shows that you have webshell still written in the User Agent field when trying to get the id command.
I am gonna DM you right now and we can help get you on the right track, but I would remove the two screenshots because they give away the admin panel super easily.
-onthesauce
Yes of course, the screenshots are spoiler, i explained my issue with them.
I want to solve the problem :))
Haha I know, I just DM’d you though.