Full website takeover

May 21, 2023

Got full access of server

This is the blog shows that impact when the upload functionality is not implement properly.

Using fuff I found login page that too admin login :)

By simple SQLi injection able to bypass login ( ‘ or 1=1 — ).

In admin panel there are lot of options is there including uploading images. So I decide to upload web shell and gain access of entire site.

After uploading the shell I located to home directory of the site and add small tag in index page ( homepage of site).

Sorry for blurry image

Here we have all privileges. like We can download, edit and delete all stuffs in that server.