Results 1 to 2 of 2

Thread: A pleasant pentest experience

  1. #1
    Junior Member
    Join Date
    Aug 2014

    A pleasant pentest experience

    My friends chose a target for me to practise several days ago, acturallyI never thought that I can succeed because I was totally a green hand . Luckily ,I got the webshell of the website in the end ,I was excited and I knew it meant a lot to me.,so I just wanted to take a note about it and noticed the victim that its website was under high risk .
    My target was a website of nextmedia ,which is a famous company of media in HongKong., It was unbelievale that I found an injection point after a general scan , I just could not believe that it really exsited ,especially in such a large and popular website. I sent it to sqlmap but it was intercepted so I had to do it personerly ,I got some sensitive information and got into its backgroud successfully,here’s the capture of the sql injection.

    Luck was very importent during the penetest because I found a point where was able to upload files without any restrictions ,as a result I upload my webshell and got the authority of system .I was surprised when I check its database because nextmedia kept all the data without any encryptions, including members’ password ,It was a doubt for me to understand that it was so careless for such a big campany.Well,overall,I never had such a fluent experience like this ,it was so splendid,wasn’t it? I was pleasant to provide a capture of the webshell as below.

  2. #2
    Junior Member
    Join Date
    Aug 2016
    I'm probably just a douche but I hate pentests like that I want to figure out ways to bypass the waf, I don't want a sql injection vuln I want to perform ssti on whatever templates they are using, or eli, xxe, csv injections, padding oracle attacks, I want to have to port cves, I want to read mountains of developer documentation. I don't know running a scanner and just sqlmaping it or using burp to audit the same crappy kind of crud apps don't get me off anymore to be honest that's why I really never became a pentester even though I love the offensive side of sec. Yeah I'm a total douche.

Similar Threads

  1. The value of experience
    By Black Cluster in forum Tech Humor
    Replies: 0
    Last Post: June 14th, 2006, 03:56 PM
  2. My experience (E17)
    By gore in forum Operating Systems
    Replies: 15
    Last Post: March 18th, 2006, 06:15 AM
  3. Education or Experience
    By valhallen in forum Cosmos
    Replies: 11
    Last Post: March 11th, 2002, 12:27 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts