Leaking Secrets and User Configurations

From the db.php file, we manage to leak the MySQL login username and password.

Leaked MySQL secrets

However, MySQL does not allow remote access. We have to search for other methods.

Both the portal and the book search site shares the same database authentication credentials.

JWT secret leaked

JWT Secret

Based on the PHP Code logic, we need to login as Paul as documented in portal/includes/fileController.php.

Checks for paul

Going further into portal/cookie.php, we found the method to generate the PHP Session cookie using a fixed secret that should be changed every week.

custom PHPSSEID generation

By bruteforcing all 4 characters of Paul, we managed to find that the letter l seems to be the correct letter.

We can concat the username paul with the MD5 of the hardcoded secret, replacing the random character with l which would yield the cookie: paul47200b180ccd6835d25d034eeb6e6390

Craft JWT

After crafting the JWT Token and PHPSESSID cookie, we can login as Paul in the admin portal.

Paul admin dashboard

Leaking Secrets and User Configurations

MySQL login creds​

JWT secret leaked​

Login requirements​

Leaked Cookie generation method​

MySQL login creds

JWT secret leaked

Login requirements

Leaked Cookie generation method