Curiosity leads to some advanced pwn!

Time ago I was looking at the website of a technology company, and got some interest in finding , with a little bit of luck, any vulnerabilities.
The name of the company will be redacted for privacy and security reasons.
As first task I started browsing the website to understand the logic of frontend and backend.
After a while I just fired up my Burp Suite application and its crawler to find all paths/files/inputs/etc.
10 minutes later I filtered Burp’s map for only parameterized requests and I started doing some fuzzing, but first I wanted to know if there was some kind of WAF/IPS/IDS.
I tried with some usual characters like: ' " < > / \ or %00 %0a %27 %22 to find any relevant error in responses or response code changes or any others differences due to tampering or defense mechanism.
I helped myself with WafW00f to get any other hits, but no problem or differences were noted, so It seemed that no defenses were present

I used Burp Suite’s Intruder tool to have a little idea about the web app handling tampered inputs and It resulted that the website was somehow susceptible in some inputs.

The first input I noted more susceptible was the GET parameter limit in /en/load-more-news.php.
I thought:”Maybe the limit parameter refers to LIMIT used in a SQL query” and by putting a null value I got a response containing only errors!

Error Screen:

This error just confirmed there was an SQL Injection!
So, what now? I searched for others problems/bug/vulnerabilities and found a path traversal in the download section!
While you browse the site, you can download some PDF from the company, but download is made through the php file /redacted-resources/download.php?file_basename=X.pdf.
The file_basename parameter was very susceptible and I found that using ../../../../../../../etc/resolv.conf as payload allowed me to see all dns used by the server, ../../../it/index.php allowed me to download the index page, so I could read the entire source code of web application!

Resolv.conf file:

Index.php file:

At this point I found (by searching into files) the file for DB connection and configuration in /it/configuratore.php and I got the MySQL database credentials:

Unfortunately the DB access was allowed only from localhost, but no panic, I still got the SQL injection to exploit, so I called SQLMap to eccelerate the data exfiltration task and got CMS’ admin access.
I got username and hashes(md5), cracked them and then logged in!

Admin Users dump:

Admin Panel log-in:

What a nice job, right? But I got more to find!

By looking and trying some tampered requests I found a Stored XSS and many others SQL Injections in the CMS Admin Panel.

The Stored XSS was in the name field of press releases and It affected only the user visiting the site in press releases page, not the administration panel.

XSS set in Admin Panel:

XSS Stored PoC affecting any user out on press releases page:

The others SQL Injection were found by just putting a ' as proof, and errors raised up!

SQL Injection in CMS Admin Panel:

At the end I was very lucky, but determined too, and I have been repaid!

I have stopped there, but I’m sure if I have analyzed the source code too I surely would have found some RCE, Command injections or anything else..

So, my curiosity was satisfied and I ended up with:
many vulnerabilities, 2 targets, 1 shot!