db.php file, we manage to leak the MySQL login username and password.
However, MySQL does not allow remote access. We have to search for other methods.
Both the portal and the book search site shares the same database authentication credentials.
Based on the PHP Code logic, we need to login as
Paul as documented in
Going further into
portal/cookie.php, we found the method to generate the PHP Session cookie using a fixed secret that should be changed every week.
By bruteforcing all 4 characters of
Paul, we managed to find that the letter
l seems to be the correct letter.
We can concat the username
paul with the MD5 of the hardcoded secret, replacing the random character with
l which would yield the cookie:
After crafting the JWT Token and PHPSESSID cookie, we can login as
Paul in the admin portal.